How to Help Developers Make Friends with Security Testing
June 21, 2021

Walter Capitani
GrammaTech

Static application security testing (SAST), which scans code to find vulnerabilities and bugs, is increasingly considered a best practice for detecting problems early in the development cycle.

When integrated into the development environment, SAST can detect fundamental security errors that can introduce vulnerabilities, and help developers avoid making similar mistakes in the future. It also reduces costs. Savings from finding and fixing vulnerabilities during development range from a low of 20% up to a high of 100% when a defect is detected at the initial design phase.

However, to gain broader adoption both within an organization and across the industry SAST must overcome several barriers based on lingering perceptions. Let’s look at these in more detail.

False positives

Easily the biggest criticism of SAST (and static analysis in general) is false positives or more importantly, the impression that the tools are imprecise and waste developer’s time. SAST is designed to balance incorrect warnings (false positives) with missed vulnerabilities (false negatives.)

Understanding warnings

Most Static analysis provides compiler-like warnings, but little more in the way of guidance and understanding of these alerts. Without detailed information including links to related software weaknesses (Common Weakness Enumeration or CWE reference) and complete trace information, developers are forced to determine the root cause of an alert on their own and whether it is a real vulnerability.

Developer overload

Developers are busy and under pressure to deliver on tight schedules. Modern continuous integration practices, while beneficial, do limit any slack time to tackle "extra tasks" that improve quality and security. It’s critical that SAST (and other security practices) be integrated into the developer workflow as seamlessly as possible. SAST should provide usable and actionable information for developers. A key aspect of this is prioritizing and focusing on critical vulnerabilities. A common cause of overload with SAST is to take on too much too soon.

Slowing development

Related to both the impression that SAST is imprecise or "noisy" and overloads developers, is the belief that it slows down development. Which often leads to relegating security testing until later in the development cycle. Proper integration of SAST into workflows and continuous integration/continuous development (CI/CD) pipelines is the key to improving security without impacting development velocity.

Missed vulnerabilities

SAST is effective for detecting certain classes of vulnerabilities. For example, vulnerabilities related to buffer overflows, memory management errors, and pointer misuse. SAST is also excellent for enforcing secure coding standards such as SEI CERT C/C++, MISRA C/C++ and even custom rules.

However, other classes of vulnerabilities such as configuration issues are more difficult to detect with SAST. This perception is interesting because organizations would certainly miss more vulnerabilities without SAST, which is meant to be used in conjunction with a comprehensive security-first approach to software development.

Removing SAST Roadblocks

Despite these barriers, there are ways to efficiently process and eliminate false positives in bulk. Software teams new to static analysis tend to want all the bells and whistles enabled until they get their first full analysis report. Configuration plays an important role in reducing human workloads by automatically prioritizing warnings based on risk.

Even for software teams that are motivated to integrate SAST into their DevSecOps pipeline, high rates of warnings can be a deterrent to getting the most out of testing early in the project when it benefits them most.

Here are three best practices to facilitate the adoption of SAST:

Filter and Focus: Filter viewed data from the SAST interface, focusing on what is most important for the project and assigning developers to fix critical issues in priority order.

Mark and Defer: Lower the priority, or change the state to "later," for example, on all or a subset of the warnings based on some set of conditions that are less crucial to the project.

Stop the Bleeding: Use the above techniques to temporarily defer existing warnings with the emphasis on fixing new defects that are introduced as code is changed or new code is developed.

To implement these recommendations, use a scoring system which indicates both the severity of an error and the likelihood of the analysis being correct. A high score indicates a possible serious error with a high confidence in being a true positive result versus a false positive. A filter could choose to ignore low scoring warnings to focus on high impact, high confidence warnings.

Visualization

Visual representation helps developers both understand the root cause of warnings and fix the detected bug more easily. This typically will include a detailed description at the location of the warning in the code, the path visualization in code and a visual call tree for more complex issues. This approach greatly reduces the average mean time for discovering the root cause of an alert and remediation. Meanwhile, SAST processes should be configured to record and maintain findings so investigating previously resolved warnings isn’t repeated with each analysis.

Toolchain Integration

Finally, SAST must be integrated within the software automation tool chain as well as development methodologies and processes. This is mainly due to the fact they can be used locally by developers on their desktop for instantaneous feedback and to analyze a complete build at the time of their choosing. Since SAST is completely autonomous from the development workflow, it can be invoked whenever it makes sense to check for bugs and security vulnerabilities in code as shown in the following diagram.


Integration points for SAST tools in a DevSecOps pipeline

Summary

Proper use of SAST in developer workflows and integrated development environments (IDE) is critical to moving security to the earliest stages of development, commonly known as shifting left. Implementing the best practices listed above will result in as little disruption as possible for developers, which will go a long way to alleviating the barriers to adoption and negative perceptions often associated with SAST.

Walter Capitani is Director of Technical Product Management for GrammaTech
Share this

Industry News

July 29, 2021

Couchbase announced the general availability of Couchbase Server 7.

July 29, 2021

Cycloid has unveiled Infra Import, a tool that automatically reverse engineers Terraform Infra-as-Code (IaC) from manually deployed infrastructure.

July 29, 2021

Launchable closed a $9.5 million Series A investment.

July 29, 2021

Rafay Systems announced automation and monitoring enhancements to its flagship Kubernetes Management Cloud (KMC).

July 28, 2021

Progress announced the R2 2021 release of Progress Telerik Test Studio, the enterprise UI test automation platform.

July 28, 2021

Synopsys announced the availability of new Rapid Scan capabilities within the company's Coverity static application security testing (SAST) and Black Duck software composition analysis (SCA) solutions.

July 28, 2021

Bitdefender announced GravityZone Security for Containers, expanding its cloud workload security (CWS) offering with run-time support for containers and Linux kernel independence.

July 28, 2021

Armory announced Armory Enterprise on AWS Quick Starts, automated reference deployments built by Amazon Web Services (AWS) solutions architects and AWS Partners.

July 27, 2021

Katalon introduced Katalon TestOps, an open and comprehensive test orchestration platform designed to help enterprises scale test automation and streamline DevOps pipelines.

July 27, 2021

Digital.ai achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status for an Enterprise Agile Planning (EAP) tool.

July 27, 2021

Aqua Security rolls out the availability of its new Aqua Platform, with a unified console to ease the journey from scanning and visibility to workload protection in cloud native environments.

July 26, 2021

Parallel Agile announced a new version of CodeBot, a low-code MERN stack application generator.

July 26, 2021

Appian unveiled its new Appian Japan regional office.

July 26, 2021

CloudTruth raised $5.25 million in seed funding led by Glasswing Ventures and Gutbrain Ventures, with additional funding from Stage 1 Ventures and York IE.

July 22, 2021

Postman successfully obtained the System and Organization Controls (SOC) 2 Type 2 and SOC 3 Type 2 reports for the Postman API platform, meeting critical industry standards relative to the Trust Services Criteria for security, availability, and confidentiality.