Posted by Charlie Klein on August 27, 2018
This is the third post in a three-part series on how you can maximize the impact of a static analysis solution by supporting developers and their goals.
As discussed in previous posts, developers are more likely to use SAST tools to improve application security when they integrate seamlessly into existing development workflows. While integration into workflows is crucial for developer adoption, static analysis results can also determine whether developers embrace SAST tools or dismiss them as shelfware.
Even static analysis that integrates perfectly into development workflows does not necessarily have an impact on application security—SAST tools must also produce results that are helpful. Static analysis results can contain either a stressful, paralyzing list of information or useful, actionable advice on how to improve code integrity. Whether SAST results are the former or the latter has significant consequences for developer adoption. More specifically, if developers perceive static analysis results to be unhelpful or confusing, it’s unlikely to have an impact on application security.
Static analysis results that are accurate, actionable, and relevant to modern codebases give developers the information they need to improve their code.
If developers don’t enjoy using static analysis, it’s unlikely SAST tools will have an impact on application security. With accurate, actionable, and relevant results, developers are likely not only to benefit from static analysis but also to enjoy using it.
Coverity makes debugging code faster and easier, which is a key reason developers across the world use it to improve code integrity. From financial services to telecommunications to aerospace and defense, developers in different verticals use Coverity to build quality and security into their code.
Embedded code in the automotive industry, for example, has different quality and security needs than code designed to store customer data for banks. For this reason, Coverity is easy to configure, producing relevant results for developers writing code in different languages, on different frameworks, and for different purposes. Developers can tailor Coverity’s analyses to find the security weaknesses and quality defects that matter most to them—making their debugging efforts efficient and easy.
Similarly, Coverity’s low false-positive rate allows developers to focus on real weaknesses and defects, rather than spending time separating false positives from important issues. False positives are simply incompatible with the pace of modern software development, which is why accuracy is crucial to development’s adoption of static analysis. When developers have confidence in the integrity of the results, static analysis can become an essential element of the SDLC.
Accurate results paired with precise triage information and remediation advice enable developers to act quickly on issues. Coverity provides developers with actionable information to simplify code review. Security weaknesses and quality defects are not always an obvious fix, so if issues are to be solved, rather than just identified, information on remediation strategies is important.
Application security review processes have a bad rap within development communities. This isn’t surprising, considering most review processes aren’t designed to support developers. Static analysis that provides helpful, relevant information about their code reduces debugging time, which contributes to their goal of producing secure, high-quality software quickly. This benefits security teams as well, because SAST will have a greater impact on application security when developers enjoy using it.
Coverity’s accurate, actionable, and relevant results ensure developers get a productivity boost from static analysis, rather than being held back by it. For this reason, organizations using Coverity can be sure static analysis has a significant impact on application security.
Get the latest Software Integrity news, thought leadership, and more.