Static Code Analysis for Java Aug 12, 2013 by Checkmarx With so many applications being developed in Java, there’s an acute awareness of the importance of application security, and the best way to integrate security into the software development life cycle is though static code analysis. When it comes to static code analysis for Java there are many options to examine the code through plugins – however not all of these options have the right output for development teams. Developers feel their job is to develop code. They find testing somewhat of a chore, and if they don’t get results that can be acted on, or results that are inaccurate (contain many false positives / negatives) -they’ll soon find excuses to do something more interesting which means security issues can become engrained in the code. When the final testing is done pre-release – it can be a serious amount of work to go back and identify those issues and fix them. That costs time and money, and in some cases due to the strict deadlines that have to be met, the product will be shipped off with security vulnerabilities in it. Today’s leading Static Code Analysis (SCA) solutions work by compiling a fully query-able database of all aspects of the code analysis. Fine tuning the scanning to your exact requirements and security policy is very easy, and customers tend to develop their own security standard by combining a few rule packs that come out of the box with some rules that are specific to their application (e.g. OWASP Top 10 2013 + PCI DSS + A few business logic vulnerabilities). Then it’s easy to develop custom reports that present the information that your developers need in a format they can relate to. Results are not only presented in the standard list format, but also in a smart graph visualization that enables pinpointing the exact locations in the code that are most effective to remediate as they eliminate the most vulnerabilities with a single fix. These security scanners, available as IDE plugins, are available for the most prominent development environments (e.g. Eclipse) testing becomes less of a chore and more of an informed structured exercise where problems are remedied quickly and efficiently, and the release cycle is less prone to being compromised.