We discuss the potential benefits, requirements, and implementation challenges of a security‐by‐design approach in which an integrated development environment plugin assists software developers to write code that complies with secure coding guidelines. We discuss how such a plugin can enable a company's policy‐setting security experts and developers to pass their knowledge on to each other more efficiently, and to let developers more effectively put that knowledge into practice. This is achieved by letting the team members develop customized rule sets that formalize coding guidelines and by letting the plugin check the compliance of code being written to those rule sets in real time, similar to an as‐you‐type spell checker. Upon detected violations, the plugin suggests options to quickly fix them and offers additional information for the developer. We share our experience with proof‐of‐concept designs and implementations rolled out in multiple companies, and present some future research and development directions.

中文翻译：

---

Sensei：在集成开发环境中实施安全编码指南

我们讨论了安全设计方法的潜在好处、要求和实现挑战，其中集成开发环境插件帮助软件开发人员编写符合安全编码指南的代码。我们讨论这样的插件如何使公司的策略制定安全专家和开发人员能够更有效地相互传递他们的知识，并让开发人员更有效地将这些知识付诸实践。这是通过让团队成员开发定制的规则集来规范编码指南并让插件实时检查写入这些规则集的代码的合规性来实现的，类似于键入时的拼写检查器。一经发现违规，该插件建议选项以快速修复它们并为开发人员提供其他信息。我们分享了我们在多家公司推出的概念验证设计和实施方面的经验，并提出了一些未来的研究和开发方向。