![Page 1: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/1.jpg)
Static Analysis ProgramsCurrent state and future direction
Aravind Venkataraman
Practice Director – Static Analysis
![Page 2: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/2.jpg)
Introduction
• Eight years in software security
• Helped firms build software security programs
• Helped firms build and run static analysis capabilities
• Technical expertise in “SAST” tools
• Built Cigital’s managed services capability
![Page 3: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/3.jpg)
Objectives
• Introduction to the static analysis marketplace
• Current industry state
• Common program-level challenges
• Future direction
![Page 4: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/4.jpg)
Target Audience
• You manage and run a software security program
• You are purchasing a static analysis tool
• You are unsure about investing in static analysis
![Page 5: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/5.jpg)
Why Static Analysis
• Move left in the SDLC
• Enable developers to change behavior
• Provide code-level feedback to aid developers in remediation
• Enforce secure coding standards
![Page 6: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/6.jpg)
Industry maturity
http://bsimm.com
![Page 7: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/7.jpg)
Industry maturity
R&D [2005]
Early adopters [2007]
Gain popularity [2009]
Mainstream adoption [2012]
Commoditization [2015]
![Page 8: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/8.jpg)
SAST Tools
• Deployment models – Desktop, standalone, build integration, SaaS.
• Language support – Java, .NET, PHP, JavaScript, SQL, etc.
• Integration options – DAST, defect tracking, reporting.
![Page 9: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/9.jpg)
Usage Trend
Developer desktop [2009]
Service bureau [2012]
On-demand SaaS [2015]
Continuous Integration [2016]
[East coast] Service bureau
[Mid west] On-demand SaaS
[West coast] Continuous Integration (CI)
Developer usage
Quick feedback
Developer education
Behavior change
Security usage
Control and governance
Cost-effective
Ease of deployment
Visibility
![Page 10: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/10.jpg)
Program-level challenges
• [Process] Scalability
• [Process] Friction in Agile
• [Technology] Tools are noisy
• [Technology] Tool support for dynamic languages (Ruby, JavaScript)
• [People] Developer behavior hard to change
• [People] Expertise not easy to find
![Page 11: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/11.jpg)
Future Trend
Continuous Integration (CI)
• [Technology] Existing developer tools (FindBugs, CodePro, Pylint, etc.)
• [Technology] Existing tool chain (SonarQube, Jenkins, Maven, Artifactory, git, etc.)
Dynamic language support
• [Technology] Python, Django, JavaScript, Ruby, etc.
Mobile SAST
• [Technology] On-demand SaaS (SAST + DAST)
• [Technology] Static checks for binary protections
![Page 12: Current state and future direction - Utah State University · Current state and future direction ... [2015] SAST Tools • Deployment models –Desktop, standalone, build integration,](https://reader034.vdocument.in/reader034/viewer/2022042222/5ec9268ea25d3e29c01c52e9/html5/thumbnails/12.jpg)
Static Analysis Programs
Q&A