Enhancing Code Security with Amazon Q Developer’s AI-powered productivity tool
Use Amazon Q Developer's AI-powered tool to greatly accelerate your coding and ensure that your finished work is secure and stable.
Always anticipating your next move
AI tools can speed up many complex processes and help you uncover important insights.
In the case of Q Developer, machine-learning is leveraged to offer a powerful tool that predicts how you will complete the code you’re creating based on similar code in the same repository or available publicly on the internet.
For a while, Q Developer has been available as a standalone tool. You can still use it with Jetbrains or the VS Code IDE, but it is now also a core part of the Amazon Q Developer product.
Q Developer uses machine-learning to generate secure, personalized suggestions of code, based on your existing code and comments. These are offered to you as options with the ‘most likely’ completion first.
As you can imagine, this can take a lot of time out of coding. It can offer a wide variety of other suggestions too, giving plenty of room for your creativity. Furthermore, it can reduce time spent on testing, debugging, and scanning for security vulnerabilities.
How can you use Q Developer?
First, you need to sign-in to the Q Developer console with your AWS Builder ID. Then you just get typing.
Using Q Developer is as intuitive as you might expect. You just start typing code or comments, and it will start offering suitable suggestions.
The suggestions Q Developer makes are based on your input, existing code, and previous inputs. It will offer a variety of suggestions, which you can scroll through with the arrow keys until you find the right one.
Comments can be just as effective as code (perhaps more so) when prompting Q Developer to make a suggestion. Q Developer will decode the intent of your comment and search for functions, code blocks, or snippets that match what you’re looking for.
This way, you can create entire functions from just a suggestion as well as single lines of code. As you might expect, it can offer suggestions for all the major programming languages including ‘go-to’s’ like C# and JavaScript.
There are two ways you can access Q Developer: as a ‘standalone’ feature of AWS Toolkits (via Jetbrains or VS Code IDEs), or with the Amazon Q developer package as an integrated feature.
In case you’re not already familiar with it, Amazon Q is an AI-enhanced toolkit for extending and building AWS applications. It enables you to use a conversational interface and generative AI to increase productivity and build new applications in very short timescales.
How Q Developer also increases code security and stability
Thanks to its instantaneous AI-powered suggestions, Q Developer can dramatically reduce the time spent on software development – and that’s definitely a win. Another considerable benefit is it can increase the security and stability of your applications too.
Q Developer offers integrated security scans, so you can make sure your code is up to scratch throughout the development process. Security scanning is an essential ingredient for secure application development. These integrated scans use detectors from the CodeGuru Detector Library to conduct three kinds of scans: Static Application Security Testing (SAST), Secret information scanning, and Infrastructure-as-Code scanning.
These security scans will intelligently prioritize the most critical issues first. It quickly uncovers all kinds of hard-to-find vulnerabilities and security policy violations that would be very difficult to find otherwise.
Even better, Q Developer will offer suggested fixes (when it is able to do so), including suggested code improvements.
How to run a security scan in Q Developer
Everything about Q Developer is designed towards making life easier for developers, so conducting a security scan is also very straightforward.
You simply select ‘Run Security Scan’, and it will get to work – delivering results in about one minute.
It’s important to be aware, however, that the integrated security scans Q Developer provides do have some limitations.
Key limitations to Q Developer’s security scanning
Q Developer security scans can only cover the active project you’re working on in the IDE, plus files in the workspace. Also, because the scan is conducted server-side, it has a size limit (which varies by programming language). This is because it relies on transmitting your project as a packet of data, so it needs to set this limit to protect performance and for security reasons.
Also, while Q Developer can scan most of the common programming languages, it can only offer suggested code fixes for Java, JavaScript, and Python.
For Infrastructure-as-Code scanning, Q Developer only currently supports IaC in CloudFormation, Terraform, and AWS CDK (TypeScript and Python).
What to do when security scans find an issue
Once again, in most cases Q Developer makes things super-easy by offering suggested fixes for supported programming languages.
So long as you’re working in JavaScript, Java, and/or Python, you can implement these suggestions just by selecting ‘Apply Fix’ in the IDE. Otherwise, you’ll need to resolve issues yourself.
Once you’ve made all the suggested improvements to your code, it’s best practice to perform another scan to make sure it’s 100% problem-free and secure.
Transparency and auditability throughout
You can check that a file has been scanned by looking at the log and selecting ‘Show Scanned Files’. This gives you a clear overview of all the files that have been checked and can highlight when something has been missed. This can easily happen for any number of reasons - from file size to simple oversight.
Because the suggested code snippets and functions are based (in part) on open-source resources, you may also want to trace and verify where code has come from - and that it’s from a trusted source.
Thankfully, you can easily view the sources of suggestions in Q Developer, and you can also give feedback when suggestions are inappropriate for your requirements.
This is yet another layer of security and accountability, which helps you deliver secure projects in shortened timescales. Altogether, Q Developer offers substantial benefits for extending and building applications in AWS, by accelerating development and by supporting security throughout the development process.
