|
|
|
Recently there have been fundamental changes in the static security analysis tool space that directly address the major issues that made developers shy away from the earlier tools: usability, efficiency and false positive reporting.
Software security requires that software teams create secure code and validate that the resulting executables are not vulnerable. Penetration testing executables is a good practice to ensure that the code was actually built correctly, but it is no substitute for doing it right in the first place. Static security analysis tools allow development teams to locate and mitigate security issues during the development process which not only leads to less vulnerable code, but is also cheaper because it locates the problems early in the development cycle where it’s inexpensive to repair. First generation static security analysis tools such as those from Fortify and Ounce allow software teams to rapidly locate security defects in source code but they also result in a great deal of false positive reports that cost time and money to validate, and minimize the programs utility. Next generation static security analysis tools such as those from Checkmarx, dramatically reduce the false positive rates found in the first generation tooling, and integrate with existing developer and testers tools, allowing them to treat static security analysis as an integral part of the development process and not force undue overhead while enforcing the development of secure software.
Static analysis, like software development in general, is a evolving science and is not yet perfect, but the current crop of security focused tools make it much harder to create insecure applications and is another step in ensuring user data is safe in our modern world where software is ubiquitous.
Read the full document >> here
|
|