Page 28 - index
P. 28
that it’s almost impossible to quantify. The issue isn’t necessarily that developers don’t
understand what a buffer overflow is, rather it’s the size and complexity of the code base that
makes it extremely difficult to find. SCA, on the other hand, uses a detailed model of the
code base to identify and explains these issues in a way that helps developers fix them early
in the development process.
The power of SCA isn’t limited to finding code vulnerabilities, it’s also an effective method for
determining how compliant your code is to common security standards, like CWE or
OWASP.
Open source software is used by over 50 percent of enterprise organizations today (from the
2014 Future of Open Source survey) yet it’s not surprising that most of them don’t know the
extent of where and how open source is used. If open source isn’t tested to the same
technical and performance requirements as the rest of your software, including security
vulnerabilities, any product or service that includes it is potentially compromised (this issue is
now number 9 on OWASP’s list of Top 10 Application Security Concerns). Open source
scanning and support does two things:
It gives you a comprehensive picture of where open source is used throughout the
organization, giving you the information you need to plan and execute security testing
It provides up-to-date reports on known security vulnerabilities, patch levels, and versions.
Armed with the knowledge provided by open source scanning, your team is better positioned
to combat security threats.
The perfect combination
Static code analysis finds flaws before check-in and open source scanning finds flaws for
code that you’re bringing in from the outside. Put the two together and you’ll not only have a
complete picture of the potential weaknesses in your code, you’ll also be able to fix flaws
earlier and faster than if you tried to do it manually.
About The Author
Art Dahnert is the Security Product Manager of Klocwork, a
Rogue Wave Company. He is a distinguished software security
engineer with over 17 years of security experience within the
development process. Before joining Klocwork, Art performed
numerous application security assessments while working at
Trustwave Spider Labs, Symantec, Overwatch, Schlumberger,
and BMC Software.
! " $
! # ! "
