Given the wide range of source code analysis tools, security professionals, auditors and developers alike are faced with a question:
How to assess a Static Analysis Software Testing (SAST) tool for deployment? Choosing the right tool requires different considerations during each stage of the SAST tool evaluation process.
The following qualiﬁers are required prior to testing the SAST tool in order to set initial expectations:
- List of languages. Ensure that the SAST tool supports the languages in the development environment.
- Access to source and binary ﬁles. Some SAST tools run only on the source code ﬁles (pre-compilation scanning), while others run on the binaries (post-compilation scanning). As opposed to scanning on the source code, post-compilation scanning requires all project dependences in order to run the scan.
- Deployment. Conﬁrm the SAST tool supports the preferred mode of operation – on premise or on-demand.
- Parties within the organization responsible for code security. Deﬁne how code security is managed within the organization. For example, one organization might prefer having a dedicated team – such as code auditors or an application security team – which provides the security services to the organization.
View full article here