How to Achieve Proactive Prevention in Quality and Security Management?

Original

Globally, attacks leveraging system vulnerabilities have accumulated to over 97 billion instances. Among these, the Asia-Pacific region accounts for 42%, remaining the area with the highest cybersecurity risks worldwide. In the past, code security protection was only integrated when development was nearly completed. Back then, development cycles were long and this model worked. However, the iteration speed of current projects has accelerated significantly, with completion cycles shortened to weeks or even days, making the traditional model obsolete.

Against this backdrop, the concept of "Shift Left Security" has gradually emerged. The implementation of this concept relies on reorganizing the logic for code quality and security management. The core goal of quality and security management is to avoid risks through systematic measures rather than merely addressing problems that have already occurred. Achieving proactive prevention requires building a multi-dimensional prevention and control system covering process optimization and technology application to form a full-chain risk interception mechanism.

Clear Coding Standards

The ZenTao team has enhanced its R&D management by focusing on three aspects: coding standards, test-driven development, and code submission protocols, with an emphasis on tool-enforced constraints and process optimization.

In terms of coding standards, developers are required to limit each local commit to no more than 20 lines of code changes, and each push to no more than 60 lines (which corresponds to no more than 3 commits). Since relying solely on self-discipline is insufficient, the team has implemented gating mechanisms in its self-developed DevOps platform. A hook is triggered during a commit to perform a diff check—if the line limit is exceeded, the commit is blocked. After a push, manual code review is required before the code can be merged. This process differs from GitHub’s Pull Request or GitLab’s merge request workflows. Future plans include adding code coverage requirements.

Regarding test-driven development, the team previously conducted a large-scale supplementation of unit tests but struggled to make it a consistent practice. Now, tools enforce the rule that code must pass unit tests before submission. Additional measures include mandatory manual code reviews and local test code inspections. The ZenTao project management software integrates tools such as Git, GitLab, Jenkins, and SonarQube to support R&D management. Design reviews are also enforced, and pipeline integration is planned for the future.

For code submission norms, the team originally used shared VIM environments. However, due to VIM’s limited support for collaboration, the custom development department has switched to Visual Studio Code with WAM mode. A company-wide transition is planned, along with integration into the DevOps pipeline. The team is also exploring the use of large language models for preliminary code reviews.

ZenTao’s code submission process is standardized as follows: enforced small-batch commits, verification of local unit test results, and manual code review. Previously, mandatory design and design review stages were also included. Once these norms are formally documented, they will fundamentally reduce quality and security issues caused by inconsistent practices. More importantly, clear standards help newcomers get up to speed more quickly and enhance team collaboration efficiency. When issues arise that require tracing, troubleshooting becomes more straightforward.

Deep Application of Technical Tools

The integration of automated detection tools during the development phase enables real-time risk interception. For example, the scanning feature of ZenTao’s DevOps platform consolidates elements such as associated code repositories, target branches, scanning scope, scanning policies, and triggers to perform code scans based on predefined strategies. Through scanning plans, customized scanning tasks can be created according to the characteristics of different projects, enabling the timely identification of defects, security risks, and other issues in the code. This ensures code quality, reduces project risks, and guarantees that the code meets quality standards throughout all stages, including development and maintenance.

Additionally, static code analysis tools should be integrated into the development environment to provide real-time feedback to developers. For instance, IDE plugins can highlight non-compliant code as it is written and suggest corrective measures. The use of such tools overcomes the limitations of manual inspections, enabling consistent and efficient risk identification.

Rigid R&D Process Standards

Many process standards remain at the advocacy level and are not implemented in practice. When processes become superficial, they lose their effectiveness.

1. Technical Design

Many team issues stem from overly casual technical design. Often, technical design is assigned to developers to handle during iterations, resulting in perfunctory efforts that create pitfalls for subsequent development, testing, and system optimization. ZenTao’s approach is to separate technical design from iterations and enforce its completion in advance. Before an iteration begins, three dedicated days are allocated for the technical team to focus on design. It is important to note that these three days are not additional but are reallocated from within the adjusted R&D process.

Key considerations include appointing senior employees as design leads to clarify responsibilities and ensure accountability. Design proposals must not be decided unilaterally but should undergo collective review. The ZenTao R&D Process Standards 3.0 clearly defines the roles and responsibilities of design and review leads across departments, ensuring ownership and accountability. This approach transforms technical design from an ambiguous, voluntary task into a structured process with clear timelines, responsible persons, reviews, and communication. By fundamentally ensuring the quality of design, it lays a solid foundation for the entire iteration.

2. Changes in Planning Meetings

Traditionally, planning meetings were often dominated by the product manager, which could lead to ineffective communication. ZenTao’s planning meetings now adopt a verification approach to ensure information is accurately conveyed and closed-loop communication is achieved.

• Step 1: Technical Design Explanation. As mentioned earlier, the design lead first clearly explains the technical solution, ensuring the team reaches a consensus on "how to proceed."
• Step 2: Developers Play Back Requirements. After requirements are assigned, developers do not start implementation immediately. Instead, they first articulate their understanding of the requirements to ensure no misinterpretations occur.
• Step 3: Testers Define Core Test Cases. After the developers' explanation, testers translate the requirements into specific test points—defining what needs to be tested and how tasks should be broken down.

This approach transforms one-way requirement communication into multi-round interactive confirmations among developers, testers, and product managers, significantly reducing rework caused by misunderstandings. Although more time may be spent initially, it ultimately saves considerable effort throughout the iteration.

Proactive prevention of code quality and security issues fundamentally involves standardizing, automating, and streamlining management to control risks in the early stages of development. It requires a combination of technical tools and manual oversight, where rule enforcement and capability enhancement go hand in hand, ultimately forming a management model centered on "prevention first and continuous interception." Only by embedding the concept of proactive prevention into every stage—coding, testing, and review—can code quality and security be fundamentally improved, providing a solid foundation for stable system operation.