Gap Analysis of Code Scanners

A Deeper Dive into the Problem of False Negatives


Large organizations agree that finding security gaps early in a Software Development Lifecycle (SDLC) improves quality and reduces the cost of developing applications. Unfortunately, many of these organizations still rely exclusively on Static Application Security Testing (SAST) to find these security gaps. Is this really enough? While code scanners have their role, our report looks at security gaps that code scanners cannot catch (false negatives). Large organizations need a shift left strategy to help manage this risk.

Read the full report

Download the report

Key Takeaways

  • Scanners will always produce false positive and false negative results.
  • Scanners cannot understand intent, and are therefore limited in scope to what's actually in the code.
  • Not all vulnerabilities can be detected. Only around 50%.
  • Scanners use a number of analysis techniques with varying levels of success including Data flow, Control flow, Symbolic, and Taint analysis
  • Compiler optimizations often inject vulnerabilities and reduce the accuracy of code scanner results
  • Addressing vulnerabilities earlier in the software development lifecycle (SDLC) can help address the coverage gap.