Static code analysis – manual scan versus automatic scan

In the preceding picture (In the previous section), you can clearly see that the manual code review will be executed when the project is ready for deployment in a typical security development lifecycle. The main idea that I need you to grasp here is that the manual scan happens after an automatic scan, so the manual code review is to spot any missing flaws that the automatic scanner didn't catch. Some people will debate this idea, and you will be surprised at the different opinions you'll get—someone might tell you that a manual scan is enough, and that they don't need a scanner, and that's too much ego because we're human, and we make mistakes no matter how good we are. On the other hand, some people will say that a scanner is enough, but according to their experience, there is always something that we catch after running a scan. Are you lost? Well, the answer is easy—you need to have both.

This will probably sound boring to you, but I'm doing my best to share the important tips that can help you in your career based on events that I witness in my daily job. Now let's talk more deeply about SAST scanners, because you will deal with them in a typical SDL. I'm not here to recommend any products, but I've dealt a lot with Veracode and it's a good product in general. I have also tried Checkmarx and have found it to be pretty good as well.

The best way to use a SAST scanner is by implementing the continuous integration methodology. After finishing the architecture phase, programmers will start developing the product and later save it and push it to a build server (when they're done on a daily basis). A scanner such as Veracode will scan the code right away after the build, and will flag any vulnerabilities found in the newly saved code. The application security analyst will take a close look at the results of the scanner and make sure that they collaborate with the development lead, also known as the security champion, for bug fixing. Later, when the project is ready for release, the backlog of the scanner should not contain any high or critical vulnerabilities in order to pass the score before the manual source code review begins.

Most of the time, during CI integration, you will be assisting the project team to evaluate false positives. The security champion will submit the demand inside the SAST portal and will be waiting for your approval to flag it as a false positive. Scanners are not perfect and a lot of issues can arise. Your role is to always support the development team and make sure that you send any bugs in the scanner itself to the product supplier.

If you've been asked by your employer to evaluate a SAST scanner, I encourage you to check the best ones on the Gartner list and do your own tests. Bring multiple applications and scan them. Later, compare the number of false positives to the vulnerabilities found in each scanner; don't just blindly assume that the Gartner choices are correct without trying them yourself.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset