How many static application security testing methods does your enterprise need? According to Dark Reading, just one won't cut it — no matter how advanced. But with a wealth of in-house and outsourced security options, how do you choose the right static tools, and how do you know when enough is enough?
As Dark Reading's Kevin Greene noted, part of the problem with static analysis comes from oversimplification. While capable of scanning an entire application, they're typically lacking in breadth and depth, which "may lead tools to make inaccurate assumptions about code; as a result they miss (simple) things and produce a generous amount of false positives." Dealing with these false positives is problem enough. What's more worrisome is that companies aren't getting the full picture, as some problems go unreported.
This leads to the second problem with static testing in isolation: Not all code is the same. Beyond inherent differences among C++, Java and PHP, how this code is written can create or close security gaps, and a single static solution won't catch them all. Greene is quick to point out that there's no ubertool that can solve this issue, and no single vendor that can guarantee complete success. Is progress being made? Absolutely. The Department of Homeland Security's Software Assurance Marketplace (SWAMP) aims to improve static analysis, but it's no replacement for a simpler fix: Using multiple solutions.
Research firm Gartner names "risk-based security and self-protection," including the development of improved static application security testing, as one of 10 trends to watch through 2015. This shouldn't come as a surprise, since the Financial Services Information Sharing and Analysis Center (FS-ISAC) already recommends static testing as one of three critical controls to reduce third-party software risk, and static solutions have solid track records of detecting everything from SQL-injection problems to cross-site scripting concerns or buffer overflows. Tossing out static analysis altogether, then, makes no sense — solutions such as dynamic analysis simply aren't fast enough to handle the sheer amount of apps used by enterprises.
So what's the answer? The multiple method: using more than one static solution as a way to detect false positives and catch missed vulnerabilities. There's no hard-and-fast number here, since every enterprise is different, but three to four is typically sufficient to produce solid results without bogging down your network. A pair of static solutions isn't quite enough, especially if they're similar in form. More than four, meanwhile, lowers the value of static testing as result speeds start to fall.
There's a simple takeaway here: a single tool, no matter how powerful, isn't perfect. Secure agile development requires both static and dynamic testing — and delivers increased accuracy — when static solutions work together.
Photo Source: Wikimedia Commons