Gap Analysis of Code Scanners to Improve Secure SDLC
A Deeper Dive into the Problem of False Negatives
AN APPLICATION SECURITY RESEARCH REPORT BY SECURITY COMPASS
Large organizations agree that finding security gaps early in a Software Development Lifecycle (SDLC) improves quality and reduces the cost of developing applications. Unfortunately, many of these organizations still rely exclusively on Static Application Security Testing (SAST) to find these security gaps. Is this really enough? While code scanners have their role, our report looks at security gaps that code scanners cannot catch (false negatives). Large organizations need a shift left strategy to help manage this risk.
Read the full report on vulnerability testing
Scanners will always produce false positive and false negative results.
Scanners cannot understand intent, and are therefore limited in scope to what's actually in the code.
Not all vulnerabilities can be detected. Only around 50%.
Scanners use a number of analysis techniques in vulnerability testing with varying levels of success including Data flow, Control flow, Symbolic, and Taint analysis
Compiler optimizations often inject vulnerabilities and reduce the accuracy of code scanner results
Addressing vulnerabilities earlier in the software development lifecycle (SDLC) can help address the coverage gap.
Security Compass is a software security company that provides professional services, training, and a Software Security Requirements Management (SSRM) platform to help companies eliminate security vulnerabilities in mission-critical applications, minimize organizational risk, and easily meet regulatory and compliance standards.
With Security Compass as a trusted information security partner, organizations can unify application security with business goals to build better, more secure software at a speed that meets their needs.