AppSec Buyers’ Insights: Binary vs. Source Code Scanning

The discussion surrounding which is superior – binary or source code scanning – has plagued the static analysis market since its inception. A source code scanner analyzes un-compiled code, whereas a binary scanner analyzes compiled code, but in the end, the result is the same. They are simply two engineering solutions for the same problem. However, as a fundamental part of vendors’ approaches to SAST, it’s an area organizations are compelled to consider in their selection process. 

During this decade-long debate, there have been myths perpetuated for both methods, making the tradeoffs more difficult to dissect. Ultimately, when considered in a vacuum, the analysis misses the core components needed to stand up a comprehensive AppSec program, such as scalability, efficiency, and the people, process and program needed to support a successful AppSec team. In this blog, I aim to clarify some of the myths surrounding binary analysis, clarify why Veracode opted for this method, and give you the facts you need during your organization’s evaluation process. 

Myth 1: Compiling code takes more time and yields less accurate results 

The most obvious difference between a source code vs. binary scanner is that the binary scanner requires code to be compiled before scanning, which changes the structure of the code by removing dead code and adds a step in your testing process compared to source code scanning. At face value, this might seem less secure as you’re not testing all the code, and less efficient as any extra step takes extra time. However, compiling code is a required step, whether it happens before security testing or afterwards, because in order to execute in production, an application must be compiled. So the fundamental question becomes the visibility of vulnerabilities that scanning source code provides vs. scanning binaries, and the speed at which a vendor can help you identify and remediate these vulnerabilities. 

At Veracode, we settled on binary scanning as a side product of a much more important feature of our offering: the SaaS-based approach. Our patented binary scanning approach enables us to securely provide static analysis testing in our platform without disclosing your intellectual property. Our SaaS-based approach means you can start scanning on day one without any hardware to install or manage, and can scale rapidly with no queuing. Compared to on-premise source code scanners that are notoriously plagued with a high number of false positives until they are tuned for the application they are scanning, we have been able to learn from our 164 trillion lines of code scanned to deliver a 5 percent false-positive rate out of the box, meaning developers can focus on fixing real flaws fast. This low false-positive rate has little to do with binary vs. source code scanning, but more with the fact that as a SaaS vendor, we can learn with every scan. 

Myth 2: Scanning source code means you can scan sooner and integrate security testing further left in your SDLC

One of the largest misconceptions is that scanning fragments of code is proprietary to source code scanners because they do not compile code and, therefore, can scan earlier in the development process. The impact of scanning sooner means you can find vulnerabilities sooner and reduce the time to fix errors later in production. However, integrating further left into the SDLC and scanning sooner is not dependent on whether you are scanning source code or binaries, but rather the technology and integrations your static analysis vendor provides to enable your developers to uncover and fix errors. 

To help organizations scan sooner and automate processes, we provide more than 24 integrations out-of-the-box to tools across the SDLC, meaning developers can seamlessly launch scans in the Veracode platform or via their IDE or CI/CD pipeline. These tight integrations across the SDLC have resulted in as much as 90 percent or greater reduction in remediation costs for our customers. 

Veracode has been managing AppSec programs for over a decade for more than 2,500 customers. In this time, we’ve listened to our customers and learned what works and what doesn’t. As a result, we have made design choices to optimize our solution to provide actionable insights on flaws found, such as:

• Veracode Static Analysis IDE Scan: From the first line of code, Veracode Static Analysis IDE Scan provides feedback to developers in as little as 3 seconds, right in their IDE. This is about as fast and early as you can get with static analysis. 
• Developer Sandbox: At any time, developers can test in the Developer Sandbox without inspection, which improves fix rate by an average of 48.2 percent.
• Inline feedback and flaw prioritization: To fix flaws fast, our binary scanner provides in-line remediation advice and eLearning tools aligned with specific vulnerabilities. In addition, developers can leverage the fix-first view to find where fixes can have the most impact or even fix multiple errors at once. Using the Veracode approach, development teams fix more than 2.5x the average number of flaws per megabyte. 

Our focus on not just finding errors fast, but also ensuring organizations can fix vulnerabilities fast, has helped our customers reduce the total time to remediate vulnerabilities, and makes bringing secure software to market fast a competitive advantage.

At Veracode, we choose to scan binaries because we believe this empowers our customers to capitalize securely on the power of our SaaS platform and on-demand services. The Veracode Platform has scanned tens of thousands of enterprise, mobile and cloud-based apps, and our unique approach to remediation has helped customers fix more than 89 million flaws. Our SaaS-based approach means immediate value, faster improvements, increased accuracy and the ability to create more software, more securely than ever before.

Find out more about the Veracode Application Security Platform in this eBook.