Amazon Web Services (AWS) has launched a code review-as-a-service program that will enable companies of all sizes to set up and manage their own bug-bounty programs – enlisting teams of developers and AI-driven vulnerability scanners to find and eliminate bugs in their cloud-based applications.
Designed as a way of gamifying the critical process of code reviews – testing and debugging source code, normally done manually as part of the continuous integration/continuous delivery (CI/CD) process – the AWS BugBust program allows companies to set up private online ‘events’ in which participating developers can leverage their skills in an attempt to find the most bugs.
Initially only available in AWS’s US East geography – but expected to roll out in other AWS service areas soon afterwards – the BugBust platform automatically manages leaderboards on behalf of the companies using the service.
It tracks progress with badges, rewards, and prizes – with the top 10 ‘BugBusters’ set to win an expenses-paid trip to the company’s AWS re:Invent 2021 conference in Las Vegas at the end of November.
Participants will be tapping the Amazon CodeGuru platform, a machine-language developer tool that automatically scans application code for programming errors, security vulnerabilities, and issues that can compromise performance.
CodeGuru was launched a year ago – scanning over 100m lines of code and integrating with GitHub and other application-development platforms – and relaunched this April with what the company called a “lower and predictable pricing model”.
Current public users include Atlassian, EagleDream, and DevFactory.
Working off the concept of ‘tech debt’ – the performance, productivity or financial costs created by inefficient technology deployments – CodeGuru’s two components, called CodeGuru Reviewer and CodeGuru Profiler, work together to identify common coding errors and identify the most ‘expensive’ lines of code, respectively.
“Hundreds of thousands of AWS customers are building and deploying new features to applications each day at high velocity and managing complex code at high volumes,” AWS vice president for Amazon Machine Learning said in debuting the new service.
“It’s difficult to get time from skilled developers to quickly perform effective code reviews since they’re busy building, innovating, and pushing out deployments.”
Automating code reviews
Although it has similar goals, the program is not a formal bug-bounty program for Amazon’s own infrastructure; it already runs such a program through its Amazon Vulnerability Research Program, which was launched in April last year and is managed on Amazon’s behalf by HackerOne.
That program has produced significant financial windfalls for some participants and generated a healthy pipeline of new bug reports, with around 650 bug reports from 215 different hackers received in the last 90 days.
Buoyed by the success of firms like HackerOne and Australian-born global success story BugCrowd, bug-bounty programs have become a significant part of the ongoing process of identifying and squashing security vulnerabilities and software bugs, with firms as diverse as Apple and the NAB offering cash prizes to encourage ethical hackers to probe and fix their applications before cybercriminals do.
Yet AWS BugBust is aiming further left, designed to help company developer teams – working alongside invited consultants or experts from anywhere in the world – identify potential problems in their web applications well before they make it into production.
That makes it a critical part of the CI/CD process, segueing with increasingly important DevOps processes that help application developers better define their requirements, and tie their work more closely to the platforms those applications will run on.
The ability to use as-a-service offerings to expedite group-based code reviews, without having to actually manage the program, will appeal in educational as well as commercial environments.
Calling the program “a fun and educative addition to our curriculum,” Miami Dade College dean of engineering, technology and design Antonio Delgado said at the launch of the program, will “help our students to become more confident in their ability to use the Python programming language and take their IT careers to the next level.”
The public university, whose students are spread across 29 locations in the greater Miami area, plans to tap AWS BugBust “every semester as a platform for our students to showcase and enhance their coding skills,” Delgado said, “all while being part of an exciting bug-bashing event.”