Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Static application security testing (SAST) is the analysis of computer software that is performed without the need to actually execute the program. The term is usually applied to analysis performed by an automated tool, whereas human analysis is typically called security-focused code review. The primary objective of SAST is to gain an understanding of the software’s behaviour, usually with the aim of uncovering security, privacy, and quality defects.
In recent years, commercial SAST solutions have matured considerably, and they now offer numerous methods of integrating with various development processes and support systems: continuous integration, bug trackers, revision control, peer code review tools, and so on. However, NCC Group routinely encounters ineffective or suboptimal static analysis deployments that either fail to accommodate the requirements of a secure development lifecycle (SDLC) or tend to impose a significant burden on development staff, leading to disengagement and patterns of misuse. These shortcomings frequently result in the SAST solution failing to serve its primary purpose: to improve software security.
In this paper we describe a methodology for evaluating and selecting the most appropriate static code analysis solution for your software organisation, as well as best practice guidance for effectively integrating that solution with your development procedures as part of a mature secure development lifecycle.
Author: Jeremy Boone