Gap Analysis of Code Scanners to Improve Secure SDLC

A Deeper Dive into the Problem of False Negatives


Large organizations agree that finding security gaps early in a Software Development Lifecycle (SDLC) improves quality and reduces the cost of developing applications. Unfortunately, many of these organizations still rely exclusively on Static Application Security Testing (SAST) to find these security gaps. Is this really enough? While code scanners have their role, our report looks at security gaps that code scanners cannot catch (false negatives). Large organizations need a shift left strategy to help manage this risk.

Read the full report on vulnerability testing

*Please note that the report will be sent to the email indicated above.

By submitting your information, you are agreeing to the
Security Compass Terms of Service & Privacy Policy

Key Takeaways

  • Scanners will always produce false positive and false negative results.
  • Scanners cannot understand intent, and are therefore limited in scope to what's actually in the code.
  • Not all vulnerabilities can be detected. Only around 50%.
  • Scanners use a number of analysis techniques in vulnerability testing with varying levels of success including Data flow, Control flow, Symbolic, and Taint analysis
  • Compiler optimizations often inject vulnerabilities and reduce the accuracy of code scanner results
  • Addressing vulnerabilities earlier in the software development lifecycle (SDLC) can help address the coverage gap.