Static Analysis: The Workhorse of a End-to-End Security Testing Strategy

By Achim D. Brucker.

Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between ``end of development” and ``offering the product to customers.”

Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated, as early as possible, into the daily development activities. The fact that static analysis can be deployed as soon as the first line of code is written, makes static analysis the right workhorse to start security testing activities.

In this lecture, I will present a risk-based security testing strategy that is used at a large European software vendor. While this security testing strategy combines static and dynamic security testing techniques, I will focus on static analysis. This lecture provides a introduction to the foundations of static analysis as well as insights into the challenges and solutions of rolling out static analysis to more than 20000 developers, distributed across the whole world.

Please cite this work as follows:
A. D. Brucker, “Static analysis: The workhorse of a end-to-end security testing strategy,” presented at the SECENTIS winter school, Trento, Italy, Feb. 09, 2016. Author copy: https://logicalhacking.com/publications/talk-brucker-secentis-static-analsyis-2016/

BibTeX
@Unpublished{ talk:brucker:secentis-static-analsyis:2016,
  date       = {2016-02-09},
  title      = {Static Analysis: The Workhorse of a End-to-End Security
                Testing Strategy},
  author     = {Achim D. Brucker},
  lecturer   = {Achim D. Brucker},
  venue      = {Trento, Italy},
  eventtitle = {SECENTIS Winter School},
  abstract   = {Security testing is an important part of any security
                development lifecycle (SDL) and, thus, should be a part of any
                software (development) lifecycle. Still, security testing is
                often understood as an activity done by security testers in
                the time between ``end of development'' and ``offering the
                product to customers.''
                
                Learning from traditional testing that the fixing of bugs is
                the more costly the later it is done in development, security
                testing should be integrated, as early as possible, into the
                daily development activities. The fact that static analysis
                can be deployed as soon as the first line of code is written,
                makes static analysis the right workhorse to start security
                testing activities.
                
                In this lecture, I will present a risk-based security testing
                strategy that is used at a large European software vendor.
                While this security testing strategy combines static and
                dynamic security testing techniques, I will focus on static
                analysis. This lecture provides a introduction to the
                foundations of static analysis as well as insights into the
                challenges and solutions of rolling out static analysis to
                more than 20000 developers, distributed across the whole
                world.},
  note       = {Author copy: \url{https://logicalhacking.com/publications/talk-brucker-secentis-static-analsyis-2016/}},
  pdf        = {https://logicalhacking.com/publications/talk-brucker-secentis-static-analsyis-2016/talk-brucker-secentis-static-analsyis-2016.pdf},
}