Deploying Static Application Security Testing on a Large Scale

Achim D. Brucker und Uwe Sodan

Cover for brucker.ea:sast-expierences:2014.Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors.

The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP's security standards need to be passed to suppliers and partners in the same manner as SAP's customers begin to pass their security standards to SAP.

In this paper, we briefly present how the SAP's Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.

Schlüsselwörter: static code analysis, static application security testing, SAST, secure development life-cycle, SDLC
Kategorien: ,
Dokumente: (Artikel als PDF Datei) (Folien) (Handout)

QR Code for brucker.ea:sast-expierences:2014.Bitte zitieren sie diesen Artikel wie folgt:
Achim D. Brucker und Uwe Sodan. Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014.
Schlüsselwörter: static code analysis, static application security testing, SAST, secure development life-cycle, SDLC
(Artikel als PDF Datei) (BibTeX) (Endnote) (RIS) (Word) (Share article on LinkedIn. Share article on CiteULike.)

BibTeX
@InProceedings{ brucker.ea:sast-expierences:2014,
abstract = {Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors.\\\\The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP's security standards need to be passed to suppliers and partners in the same manner as SAP's customers begin to pass their security standards to SAP.\\\\In this paper, we briefly present how the SAP's Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.},
address = {GI},
author = {Achim D. Brucker and Uwe Sodan},
booktitle = {GI Sicherheit 2014},
editor = {Stefan Katzenbeisser and Volkmar Lotz and Edgar Weippl},
isbn = {978-3-88579-622-0},
keywords = {static code analysis, static application security testing, SAST, secure development life-cycle, SDLC},
month = {mar},
pages = {91--101},
pdf = {https://www.brucker.ch/bibliography/download/2014/brucker.ea-sast-expierences-2014.pdf},
publisher = {GI},
series = {Lecture Notes in Informatics},
talk = {talk:brucker.ea:sast-expierences:2014},
title = {Deploying Static Application Security Testing on a Large Scale},
url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-sast-expierences-2014},
volume = {228},
year = {2014},
}