Software Integrity Blog

Search Results for 'dynamic analysis'

 

Static analysis tools: Are they the best for finding bugs?

Before we can dig deeper into the topic of static analysis, we must first understand how it works. Once a foundation has been established, we’ll then analyze a variety of scenarios to determine when static analysis tools are the best method to find security bugs. What is static analysis? Static analysis refers to the examination of a piece of software without executing it. In the world of security, it refers to discovering security related bugs in software without actually running the software. Static code analysis is a white box method of testing, meaning that the tester has access to the underlying framework, design, and structure of the software. The process typically includes examining the code structure, studying the various data and control flows, and referring to the configuration settings to discover various types of security bugs. Static analysis tools vs. manual review Static code analysis can be automated or conducted manually. An automated review uses static analysis tools to discover bugs. It is faster than a manual review and generally provides better code coverage. Static analysis tools are effective at finding common security bugs. A manual review, on the other hand, is better at discovering complex bugs such as those related to authentication. The manual approach can also be very effective at analyzing business logic for security bugs. Manual reviews take more time but they’re more thorough and the bugs discovered have a very high confidence rate. Considerations for static analysis tools Static analysis tools provide developers with accurate and timely code feedback and are often integrated near the end of the software development life cycle (SDLC). Tools can provide excellent insight into the quality of the developed code.

Continue Reading...

Posted in Static Analysis (SAST)

 

Gary McGraw discusses the security risks of dynamic code

Dynamic language and associated development and operations (DevOps) methodologies change and evolve constantly. Due to these intentionally ever-changing dynamic aspects of software, security measures must also be in a constant state of progression.

Continue Reading...

Posted in Software Architecture and Design, Web Application Security

 

Static analysis for security

What is static analysis for security? Read about what it’s supposed to do, the best approaches, its limitations, and what to look for in a good static analysis tool. The original version of this article was published in IEEE Security & Privacy magazine.

Continue Reading...

Posted in Static Analysis (SAST)

 

Experts talk application security at RSA

We asked a couple of AppSec experts and BSIMM participants about 2019 application security trends, challenges, obstacles, and solutions. Here’s what they said.

Continue Reading...

Posted in Maturity Model (BSIMM)

 

Polaris and partners: Security superheroes

Synopsys partners with an extensive team to help all our customers build secure, high-quality software faster. Meet the latest superhero: the Polaris platform.

Continue Reading...

Posted in General

 

Tanya Janca at RSA on better AppSec: Play nice with DevOps

The DevOps and security relationship is often tense—but does it have to be? At RSA 2019, Tanya Janca explained how teams can play nice, and why they ought to.

Continue Reading...

Posted in Agile, CI/CD & DevOps

 

New software standards aim to slow rampant credit card theft

With the new PCI standards, the Payment Card Industry Security Standards Council intends to reduce credit card fraud. But the new standards may not be enough.

Continue Reading...

Posted in Financial Services Security, Security Standards and Compliance

 

Hacking Security Episode 4: DevSecOps with Meera Rao

Hacking Security is a monthly podcast on emerging trends in application security. In Episode 4, secure development expert Meera Rao discusses DevSecOps.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Developer Enablement, General

 

The 10 most-read Software Integrity Blog posts from 2018

Our 10 most popular posts from 2018 show clear trends in software security topics of interests, including DevSecOps, CI/CD, open source, blockchain, and GDPR.

Continue Reading...

Posted in General

 

Security lessons from the House Oversight and Government Reform Committee

The U.S. House Committee on Oversight and Government Reform has more than a few things to say about responsible enterprise application security.

Continue Reading...

Posted in Data Breach, Open Source Security