[ PDF |
BibTeX |
EndNote |
RIS |
Word ]
Deploying Static Application Security Testing on a Large Scale
By Achim D. Brucker and Uwe Sodan.
Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP’s security standards need to be passed to suppliers and partners in the same manner as SAP’s customers begin to pass their security standards to SAP.
In this paper, we briefly present how the SAP’s Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.
Keywords: Static Code Analysis, Static Application Security Testing, SAST, Secure Development Life-Cycle, SDLC
Supplementary material: [ Slides ]
Please cite this work as follows: A. D. Brucker and U. Sodan, “Deploying static application security testing on a large scale,” in GI sicherheit 2014, Mar. 2014, vol. 228, pp. 91–101. Author copy: http://logicalhacking.com/publications/brucker.ea-sast-expierences-2014/
BibTeX
@InProceedings{ brucker.ea:sast-expierences:2014,
author = {Achim D. Brucker and Uwe Sodan},
title = {Deploying Static Application Security Testing on a Large
Scale},
booktitle = {GI Sicherheit 2014},
year = {2014},
editor = {Stefan Katzenbeisser and Volkmar Lotz and Edgar Weippl},
abstract = {Static Code Analysis (SCA), if used for finding
vulnerabilities also called Static application Security
Testing (SAST), is an important technique for detecting
software vulnerabilities already at an early stage in the
software development life-cycle. As such, SCA is adopted by an
increasing number of software vendors.
The wide-spread introduction of SCA at a large software
vendor, such as SAP, creates both technical as well as
non-technical challenges. Technical challenges include high
false positive and false negative rates. Examples of
non-technical challenges are the insufficient security
awareness among the developers and manages or the integration
of SCA into a software development life-cycle that facilitates
agile development. Moreover, software is not developed
following a greenfield approach: SAP's security standards need
to be passed to suppliers and partners in the same manner as
SAP's customers begin to pass their security standards to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems
in using SCA both inside SAP as well as across the complete
software production line, i.e., including suppliers and
partners.},
month = {mar},
areas = {software,security},
keywords = {Static Code Analysis, Static Application Security Testing,
SAST, Secure Development Life-Cycle, SDLC},
publisher = {GI},
address = {GI},
series = {Lecture Notes in Informatics },
isbn = {978-3-88579-622-0},
volume = {228},
pages = {91--101},
note = {Author copy: \url{http://logicalhacking.com/publications/brucker.ea-sast-expierences-2014/}},
}