/jul 13, 2020

Quality Conundrum: Relying on QA Tools Alone Increases Risk

By Meaghan Mcbee

Quality assurance, or QA, is one of the go-to solutions for organizations looking to enhance their application security (AppSec). But alone, they don’t provide enough coverage and can give your team a false sense of security that comes back to haunt you during audits, or worse: after a breach. QA tools are only the tip of the iceberg when it comes to flagging and remediating flaws that leave your applications vulnerable to attacks.

Why doesn’t QA deliver what you need without requiring more scanning, testing, and remediation solutions? Solutions that are sold solo are often lower quality and lack essential features. For example, some QA tools don’t scan for cryptographic flaws or offer backdoor checks, leaving your code vulnerable to common vulnerabilities and bugs.

And some QA tools have higher than average false-positive rates, which can create unnecessary bottlenecks in the development process, especially if you’re only using a QA tool. Veracode’s false positive rate for Static Analysis is an industry-leading 1.1 percent – which helps our customers speed up their DevSecOps programs by not holding them back with false alarms.

Software Engineer and author Steve Maguire said it best: “Don’t fix bugs later; fix them now.” Organizations looking to up their security game should focus on speed, accessibility, efficiency, and breadth of security coverage, with customization and automation available to tailor AppSec programs to specific business needs. That means less time spent fixing found flaws closer to (or after) deployment, which QA can’t (and shouldn’t) do alone.

Covering your bases with the right solutions

Beating the quality conundrum is all about having the right tools in the right place, and QA simply can’t cover all the bases when it comes to security.

Effective AppSec tools go beyond simply assessing the severity of vulnerabilities and provide clear guidance on how to fix said flaws with remediation tips and training. Putting in the effort sooner rather than later will save time – and money – as risk is lowered closer to deployment with frequent scanning and education earlier on.

QA tools don’t hold up against Common Weakness Enumeration categories, or CWEs that cover software weaknesses and vulnerabilities. When examining a leading competitor, we found that over half of CWEs found by Veracode were missed by the competition’s QA tool and that a mere 5 percent of the QA tool’s rules even covered vulnerabilities. That, coupled with higher than average false-positive rates, means development and security teams will either miss dangerous flaws or spend an excessive amount of time digging through false flags if they rely on QA tools alone.

A quick and comprehensive assessment

We know that some QA tools rely on “Security Hotspots” when they have a lack of true vulnerability checking tools. “Security Hotspots,” or code areas that have a higher likelihood of containing security flaws, are important to acknowledge – but QA tools simply don’t test the code to see if it contains a security bug or vulnerability. To maintain greater control over the security health of your applications, you need solutions that detect vulnerabilities throughout the development process quickly and efficiently with a clear path to remediation.

Effective application security goes beyond QA to provide a comprehensive assessment of the application’s landscape and the risks it brings to the table. Veracode’s testing types cover the entire SDLC, with features like automated feedback that speed developers up instead of slowing them down. The proof is in the numbers: Veracode’s IDE Scan provides feedback instantly while the Pipeline Scan takes about 90 seconds, and the Policy Scan about 8 minutes on average.

Solutions that satisfy compliance

It isn’t enough to just have capable tools in your arsenal – you need to be able to prove that they’re working. Some of that proof falls on auditing and compliance needs, which is another area where QA solutions simply fall short. These tools rely on the developers themselves to mark issues and flaws as “reviewed” and then close them with little to no supervision.

As auditors typically want independent verification of results, that won’t do for most organizations. Veracode’s low false-positive rate, coupled with internal workflows involving security checks, takes a lot of the guessing (and risk) out of the review process.

Reporting is another essential feature for application security solutions, as it helps security teams set clear goals and developers stay on track with remediation guidance so the whole team can maintain compliance. If your QA tool doesn’t deliver clear reports on high-severity vulnerabilities and bugs, your team will miss out on retrospective data that can help guide future security decisions.

QA solutions may provide some peace of mind, but they don’t go the extra mile in helping developers remediate flaws and reduce risk and can introduce higher rates of false positives that slow everything down. Instead, look for an AppSec solution that integrates seamlessly, works quickly, provides accurate results, and guides developers towards remediation. If you do, you’re leaving less room for risk and more room for innovation as your development and security teams to focus on producing quality code.

To learn more, watch a short demo video of the Veracode solution.

Related Posts

By Meaghan Mcbee

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.