current state and future direction - utah state university · current state and future direction...
TRANSCRIPT
Static Analysis ProgramsCurrent state and future direction
Aravind Venkataraman
Practice Director – Static Analysis
Introduction
• Eight years in software security
• Helped firms build software security programs
• Helped firms build and run static analysis capabilities
• Technical expertise in “SAST” tools
• Built Cigital’s managed services capability
Objectives
• Introduction to the static analysis marketplace
• Current industry state
• Common program-level challenges
• Future direction
Target Audience
• You manage and run a software security program
• You are purchasing a static analysis tool
• You are unsure about investing in static analysis
Why Static Analysis
• Move left in the SDLC
• Enable developers to change behavior
• Provide code-level feedback to aid developers in remediation
• Enforce secure coding standards
Industry maturity
http://bsimm.com
Industry maturity
R&D [2005]
Early adopters [2007]
Gain popularity [2009]
Mainstream adoption [2012]
Commoditization [2015]
SAST Tools
• Deployment models – Desktop, standalone, build integration, SaaS.
• Language support – Java, .NET, PHP, JavaScript, SQL, etc.
• Integration options – DAST, defect tracking, reporting.
Usage Trend
Developer desktop [2009]
Service bureau [2012]
On-demand SaaS [2015]
Continuous Integration [2016]
[East coast] Service bureau
[Mid west] On-demand SaaS
[West coast] Continuous Integration (CI)
Developer usage
Quick feedback
Developer education
Behavior change
Security usage
Control and governance
Cost-effective
Ease of deployment
Visibility
Program-level challenges
• [Process] Scalability
• [Process] Friction in Agile
• [Technology] Tools are noisy
• [Technology] Tool support for dynamic languages (Ruby, JavaScript)
• [People] Developer behavior hard to change
• [People] Expertise not easy to find
Future Trend
Continuous Integration (CI)
• [Technology] Existing developer tools (FindBugs, CodePro, Pylint, etc.)
• [Technology] Existing tool chain (SonarQube, Jenkins, Maven, Artifactory, git, etc.)
Dynamic language support
• [Technology] Python, Django, JavaScript, Ruby, etc.
Mobile SAST
• [Technology] On-demand SaaS (SAST + DAST)
• [Technology] Static checks for binary protections
Static Analysis Programs
Q&A