Effective Static Analysis is the Key to Successful DevSecOps
DevSecOps creates more effective security by moving the traditional gate earlier instead of the end of the pipeline, where it’s too late to effectively fix security issues. Static code analysis is the best way to move security as far left as possible by using both early detection checkers for common issues like tainted data as well as secure-by-design coding patterns that harden the code against todays common attacks. However, static analysis has a reputation for being noisy and causing extra work. We will explore tips and tricks to make sure your static analysis is delivering security while avoiding common pitfalls that plague security efforts. Understanding the role of policy and effective choice of available coding standards is an important start, while leveraging standards based risk assessment to prioritize issues based on the impact, severity, and likelihood of security vulnerabilities will ensure that your code is secure and your team appreciates the tools rather than hates them.