Success with Static Analysis for Security: Why Code Audits Fail
Static analysis for security has been such a hot topic lately that it seems the industry is starting to think of it as a silver bullet. The quest for application security has breathed new life into static analysis technologies, which until quite recently were primarily perceived as either frivolous beautification tools or burdensome big brother monitoring systems. Surprisingly, the underlying technology was not substantially modified to accommodate the issue of security; rather, the changes were more like a face lift. As a result, organizations using static analysis technology still encounter the same fundamental challenges in making it sustainable over time.
The secret to making static analysis technologies a productive analysis solution is to use them in the proper context. The adoption of this technology should be driven by a policy-based approach. This means establishing a policy that defines requirements, then enforcing that policy consistently - not only with automation to ensure that the required practices are sustained, but also with workflow, task management, and metrics that enable you to measure how well the policy is being implemented. In the context of policy, static analysis is elevated from a "nice-to-have" checker to a critical tool for ensuring that code meets the organization's expectations.
This paper explains why and how to apply static analysis tools in the context of a policy-based security process that not only prevents security vulnerabilities, but also focuses on SDLC productivity.