Getting More out of Static Code Analysis and Application Security Testing Platforms

Software engineering leaders face tighter deadlines to test and deliver more complex applications. The best teams deliver quality code – with minimal issues – when they are confident that they are implementing secure and compliant software.

One of the ways teams meet these challenges is performing more end to end Application Security Testing (AST) throughout their SDLC using Static Code Analysis (SCA) and other tools to detect deviations from style or syntax guides, which they refer to as violations, that can cause real problems down the road. Products like Coverity, Veracode, Klocwork and CTest provide the comprehensive rules based systems to inform engineers of guidelines for style and syntax of code. Articles like this Sept 2018 piece from SD Times discuss benefits to engineering teams outside of the traditional regulated industries where these tools are typically used.

These tools are run de-centrally by developers in their IDE as well as in build pipelines.  In the IDE, software engineers are educated and empowered to make their code as compliant with the organization’s policies as possible. While comprehensive, these tools can produce a lot of noise, which leads engineers to adopt an ‘acknowledge and defer’ approach for more cases than they probably should. The team at Parasoft talks about this and other techniques for managing SCA violations in their recent blog post Getting Started with Static Analysis without Overwhelming the Team.

When engineering managers don’t have an effective way of knowing the true impact to specific issues and violations uncovered, it makes for ineffective prioritization and scheduling of work that needs to be done. Without proper impact analysis, high impact violations can be missed and slip through the cracks. Continuous quality feedback loops help engineering managers bridge that gap by putting more information into their hands so they can effectively triage, prioritize, and schedule the violations that require remediation.

Getting more value out of Static Code Analysis

To make the use of static code analysis tools more effective and approachable, Backtrace is introducing some new capabilities. We can help teams incorporate feedback from their fuzzing tests, regression suites, and early access or canary systems to correlate test case failures with issues raised by their SCA tools for more effective prioritization and more confidence to release. In addition, Backtrace will allow engineering managers to capture SCA violations in a central location and leverage our best-in-class ability to index and analyze errors. We also integrate with popular SDLC tools like Jira, Slack, Datadog, Tripwire, PagerDuty, and more to better support your engineering development workflows.

  1. Backtrace for SCA will help teams: correlate QA & real world issues (from test or production environments) with issues identified by their SCA tool, helping to identify violations that should be prioritized.
  2. Provide a way to build team-wide repeatable processes for handling different classes of issues and vulnerabilities as they occur.
  3. Allow for deep analytics, to surface information such as when the violation was first introduced, when it was remedied, if it was ever exploited, and more.

Improve Signal to Noise Ratio with Correlation

Thousands of different types of violations can be raised during SCA scans. How can teams effectively prioritize those that may cause the most harm? How do they know which might be exploited in the real world?

Techniques such as fuzzing can help isolate real concerns with unexpected or random input that is intended to identify vulnerabilities, issues, and corner cases that may not have been properly dealt with. And when fuzzing identifies an issue, there is heavy lifting involved to collect and analyze the crash information that is generated.

Backtrace simplifies this capture, analysis, and correlation of crash and exception data that is caused by testing techniques like fuzzing, with SCA violations that were previously identified. This helps teams become more effective in their prioritization, and more confident in their ability to ship.

Schedule a Demo!

If you’re an engineering manager looking to improve your use of SCA tools and gain the confidence you need to develop at greater speed, schedule a demo with us today! We’ll show you how you can improve your detection and resolution times of software issues by up to 90%.


By | 2019-09-26T18:03:00+00:00 September 26th, 2019|Announcements, Features|