Static Analysis: The Workhorse of a End-to-End Securitye Testing Strategy

by Achim D. Brucker

Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers."

Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated, as early as possible, into the daily development activities. The fact that static analysis can be deployed as soon as the first line of code is written, makes static analysis the right workhorse to start security testing activities.

In this lecture, I will present a risk-based security testing strategy that is used at a large European software vendor. While this security testing strategy combines static and dynamic security testing techniques, I will focus on static analysis. This lecture provides a introduction to the foundations of static analysis as well as insights into the challenges and solutions of rolling out static analysis to more than 20000 developers, distributed across the whole world.

Keywords:
Categories:
Documents:

QR Code for talk:brucker:secentis-static-analsyis:2016.Please cite this article as follows:
Achim D. Brucker. Static Analysis: The Workhorse of a End-to-End Securitye Testing Strategy. SECENTIS Winter School, 09. feb. 2016.
(slides) (handout) (BibTeX) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@Talk{ talk:brucker:secentis-static-analsyis:2016,
abstract = {Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between ``end of development'' and ``offering the product to customers.''\\\\Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated, as early as possible, into the daily development activities. The fact that static analysis can be deployed as soon as the first line of code is written, makes static analysis the right workhorse to start security testing activities.\\\\In this lecture, I will present a risk-based security testing strategy that is used at a large European software vendor. While this security testing strategy combines static and dynamic security testing techniques, I will focus on static analysis. This lecture provides a introduction to the foundations of static analysis as well as insights into the challenges and solutions of rolling out static analysis to more than 20000 developers, distributed across the whole world.},
author = {Achim D. Brucker},
day = {09},
event = {SECENTIS Winter School},
handout = {https://www.brucker.ch/bibliography/download/2016/talk-brucker-secentis-static-analysis-2016-2x2.pdf},
isodate = {2016-02-09},
lecturer = {Achim D. Brucker},
location = {Trento, Italy},
month = {feb},
slides = {https://www.brucker.ch/bibliography/download/2016/talk-brucker-secentis-static-analsyis-2016.pdf},
title = {Static Analysis: The Workhorse of a End-to-End Securitye Testing Strategy},
url = {https://www.brucker.ch/bibliography/abstract/talk-brucker-secentis-static-analsyis-2016},
year = {2016},
}