pdfreaders.org

Deploying Static Application Security Testing on a Large Scale

by Achim D. Brucker

Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors.

The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP's security standards need to be passed to suppliers and partners in the same manner as SAP's customers begin to pass their security standards to SAP.

In this paper, we briefly present how the SAP's Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.

Keywords:
Categories:
Documents:

QR Code for talk:brucker.ea:sast-expierences:2014.Please cite this article as follows:
Achim D. Brucker. Deploying Static Application Security Testing on a Large Scale. GI Sicherheit 2014, Vienna, Austria, 19. mar. 2014.
(slides) (handout) (BibTeX) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@Talk{ talk:brucker.ea:sast-expierences:2014,
abstract = {Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors.\\\\The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP's security standards need to be passed to suppliers and partners in the same manner as SAP's customers begin to pass their security standards to SAP.\\\\In this paper, we briefly present how the SAP's Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.},
address = {Vienna, Austria},
author = {Achim D. Brucker},
day = {19},
event = {GI Sicherheit 2014},
handout = {https://www.brucker.ch/bibliography/download/2014/talk-brucker.ea-sast-expierences-2014-2x2.pdf},
isodate = {2014-03-19},
language = {USenglish},
lecturer = {Achim D. Brucker},
month = {mar},
slides = {https://www.brucker.ch/bibliography/download/2014/talk-brucker.ea-sast-expierences-2014.pdf},
slideshare = {32498660},
slideshare_height = {356},
slideshare_width = {427},
title = {Deploying Static Application Security Testing on a Large Scale},
url = {https://www.brucker.ch/bibliography/abstract/talk-brucker.ea-sast-expierences-2014},
year = {2014},
}