pdfreaders.org

Deploying Static Application Security Testing on a Large Scale

by Achim D. Brucker and Uwe Sodan

Cover for brucker.ea:sast-expierences:2014.Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors.

The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP's security standards need to be passed to suppliers and partners in the same manner as SAP's customers begin to pass their security standards to SAP.

In this paper, we briefly present how the SAP's Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.

Keywords: static code analysis, static application security testing, SAST, secure development life-cycle, SDLC
Categories: ,
Documents: (full text as PDF file) (slides) (handout)

QR Code for brucker.ea:sast-expierences:2014.Please cite this article as follows:
Achim D. Brucker and Uwe Sodan. Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014.
Keywords: static code analysis, static application security testing, SAST, secure development life-cycle, SDLC
(full text as PDF file) (BibTeX) (Endnote) (RIS) (Word) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@InProceedings{ brucker.ea:sast-expierences:2014,
abstract = {Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors.\\\\The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP's security standards need to be passed to suppliers and partners in the same manner as SAP's customers begin to pass their security standards to SAP.\\\\In this paper, we briefly present how the SAP's Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.},
address = {GI},
author = {Achim D. Brucker and Uwe Sodan},
booktitle = {GI Sicherheit 2014},
editor = {Stefan Katzenbeisser and Volkmar Lotz and Edgar Weippl},
isbn = {978-3-88579-622-0},
keywords = {static code analysis, static application security testing, SAST, secure development life-cycle, SDLC},
month = {mar},
pages = {91--101},
pdf = {https://www.brucker.ch/bibliography/download/2014/brucker.ea-sast-expierences-2014.pdf},
publisher = {GI},
series = {Lecture Notes in Informatics},
talk = {talk:brucker.ea:sast-expierences:2014},
title = {Deploying Static Application Security Testing on a Large Scale},
url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-sast-expierences-2014},
volume = {228},
year = {2014},
}