Static Code Analysis and Governance presented at OWASP AppSecAsiaPac 2012

by Jonathan Carter,

Tags: Security

Summary : "Organisations love to use static code analysis tools to review their source code for application-security vulnerabilities. Often, vendors of these tools project a very ideal and rosy image of a tool that scans, detects, and reports all of your serious application vulnerabilities. The image looks great. Predictable, stable, and complete detection of application-security issues without having to be an expert in security. Clients often buy into the imagery of a technology that can serve as a panacea to all of their application-security issues without having to have the security experience or specialized knowledge.
Unfortunately, there are a lot of technical issues with this type of technology that can seriously impact the accuracy of scanning results. All too often, clients are blissfully unaware of these issues as they are not popular topics of conversation amongst vendors when trying to sell these tools.
Under certain corner-cases, the technology can produce a large number of false positives or false negatives for a client's source code. Clients can end up with a false sense of security or think the sky is falling. Both scenarios are bad. The impacts to an organisation can be unexpected and unpleasant.
First, this discussion briefly discusses what static code analysis entails. It also highlights the potential impacts of improper use of this technology on an organisation. Then, I present the technical (and often undetected) pitfalls that clients may experience that negatively impact the accuracy of scanner results. Then, this discussion highlights how clients can mitigate the risks associated with these issues through the use of policies, guidelines, and processes.
This discussion helps users of this technology get the best use of static analysis tools while mitigating the risks from particular scenarios. Furthermore, the discussion illustrates how security governance and detection technologies must be in sync to achieve an accurate understanding of your current security posture."