Carnegie Mellon’s Software Engineering Institute Report Shows Efficacy of Static Application Security Testing

A new report from Carnegie Mellon University’s Software Engineering Institute shows that automated, integrated Static Analysis improves software quality, reduces development time, and makes software more reliable and secure. By incorporating application security testing throughout the entirety of the Software Development Lifecycle (SDLC), organizations are able to ensure the security and quality of its software, and increasing speed-to-market.

The findings stand in support of what our own data and customer practices have shown. In the State of Software Security Volume 9, analysis of Veracode’s application testing data found that development teams that implemented DevSecOps practices fixed flaws 11.5 times faster than typical organizations. While Nichols’ report does not include vendor comparisons, it does provide an overall analysis on the total benefits of a secure development approach. 

Development teams at three organizations were observed, with each team using both static code analysis (SCA) and static binary analysis (SBA). The teams each used these software development tools at different times in the SDLC, across multiple and varying projects. The study found that applying the tools added no additional effort for development teams prior to release, and that as developers sharpened secure coding skills, false positive rates declined with cleaner code. It further recommends that organizations build and automate static testing into their workflows across the SDLC, continue to apply human analysis to testing results to ensure quality.

Three Must-Have Solutions to Kick-Off Your Application Security Program

Building and maturing an application security program might seem like a daunting project, but getting started is simpler than you think. There is an established series of steps most organizations take when developing their programs. Here are the three solutions we recommend to get you started in securing your business-critical applications:

1.Veracode Static Analysis IDE Scan: Deliver applications faster and meet your development timelines by writing secure code the first time around. Veracode Static Analysis IDE Scan, an IDE or CI integrated continuous flaw feedback and secure coding education solution, returns scans in seconds, which helps developers discern whether their code is secure. This solution helps teams maintain development velocity, reduce the number of flaws introduced into an application, and strengthens secure coding skills and practices.

2.Static Analysis: Veracode static analysis enables you to quickly identify and remediate application security flaws at scale and with efficiency. Our SaaS-based platform integrates with development and security tools to make testing a seamless part of your process. Once flaws are identified, teams can leverage in-line remediation advice and one-to-one coaching to reduce mean time resolve.

3.Software Composition Analysis: While the report found that SAST wasn’t the strongest solution to reducing the risk of open source components, modern software composition analysis is. Today, applications are more often assembled from other sources, and in a typical application, we’re seeing some comprised of up to 90 percent third-party code. Veracode’s SCA uses real machine learning and natural language processing to identify potential vulnerabilities in open source libraries with a high level of accuracy. By understanding the status of the components within an application, and if a vulnerable method is being called, organizations can prioritize fixes based on the riskiest use of components and maintain their speed-to-market. Learn more.

Applications continue to be one of the top attack vectors for malicious actors, and while there is no application security silver bullet, we can help you implement automated techniques and manual processes to ensure that your applications are secure. To start creating more secure software today and learn more about how our solutions can help drive down application risk in your organization, contact us.