Software Integrity Blog

Author Archive

Apoorva Phadke

aphadke

Apoorva Phadke is a senior security consultant at Synopsys. She works with customers to adopt secure development processes and practices. Apoorva comes from a development background and advocates that security and development go hand in hand. A feminist, Apoorva strongly believes more women should enter STEM-related fields, and organizations should do more to retain them in those fields. In her down time, she’s most likely out hiking or engrossed in a murder mystery novel.


Posts by Apoorva Phadke:

 

Streamlining development with a DevSecOps life cycle

To make the world of rapid software deployment a safer place, it’s time to shift away from the DevOps SDLC and adopt the DevSecOps life cycle.

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on Streamlining development with a DevSecOps life cycle

 

SAST vs. DAST: What’s the best method for application security testing?

The differences between SAST and DAST include where they run in the development cycle and what kinds of vulnerabilities they find. Learn why you need both.

Continue Reading...

Posted in Static Analysis (SAST), Web Application Security | Comments Off on SAST vs. DAST: What’s the best method for application security testing?

 

Static analysis tools: Are they the best for finding bugs?

Before we can dig deeper into the topic of static analysis, we must first understand how it works. Once a foundation has been established, we’ll then analyze a variety of scenarios to determine when static analysis tools are the best method to find security bugs. What is static analysis? Static analysis refers to the examination of a piece of software without executing it. In the world of security, it refers to discovering security related bugs in software without actually running the software. Static code analysis is a white box method of testing, meaning that the tester has access to the underlying framework, design, and structure of the software. The process typically includes examining the code structure, studying the various data and control flows, and referring to the configuration settings to discover various types of security bugs. Static analysis tools vs. manual review Static code analysis can be automated or conducted manually. An automated review uses static analysis tools to discover bugs. It is faster than a manual review and generally provides better code coverage. Static analysis tools are effective at finding common security bugs. A manual review, on the other hand, is better at discovering complex bugs such as those related to authentication. The manual approach can also be very effective at analyzing business logic for security bugs. Manual reviews take more time but they’re more thorough and the bugs discovered have a very high confidence rate. Considerations for static analysis tools Static analysis tools provide developers with accurate and timely code feedback and are often integrated near the end of the software development life cycle (SDLC). Tools can provide excellent insight into the quality of the developed code.

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Static analysis tools: Are they the best for finding bugs?