It’s two days to the delivery deadline for a software project and your team is pulling double shifts to make it on time. Then one of the programmers flags a problem. Buried in the thousands of lines of code is an error that is causing the code to break. No one knows what the problem is and you don’t have time for a bug hunt. To make matters worse, you still have to verify that the code meets various compliance standards. It’s time to panic. But it doesn’t have to be this way.
Static Application Security Testing (SAST) software can catch programming mistakes in real-time and prevent the error from propagating down the line and causing problems that are hard to isolate and fix. Therefore an investment in SAST can speed up time-to-market and reduce cost and risk.
How does SAST do this? Quite simply by becoming a part of how programmers work. It plugs into their Integrated Development Environment (IDE) and checks the source code when it’s still in the early stages of the software development life cycle (SDLC). It provides real-time metrics and transparency on the quality and security of the source code. By making developers aware of potential security concerns while they are writing the code, it can even help eliminate security vulnerabilities. SAST also reduces the time it takes to review complex code structures and identifies areas the developers need to focus on.
“SAST offers significant cost savings, improved time-to-market and promotes trust in your code,” says Olli Jarva, Senior Solutions Architect with Synopsys Singapore. “From a long-term perspective, it also teaches developers to be better coders who are security-minded.”
The cost of waiting
Capers Jones, an expert in Software Engineering Methodology, explains in his book Applied Software Measurement, that the cost of rectifying code defects rises sharply the later it is left in the SDLC (see chart). In other words, when it comes to code defects, the earlier you find and fix them, the lower the cost to your organization.
For example, a Forrester Consulting study on a Synopsys customer in 2016 found that there was a 5x reduction in defect or vulnerability remediation costs due to earlier detection in the development phase, and a 2x cost reduction in the testing phase.
Another customer that understands the value of SAST is Alcatel-Lucent, a leading global provider of telecoms solutions. According to the company’s Senior Technical Manager Ian Jordan, the SAST software “was identifying issues that were extremely difficult to spot from basic analysis. This gave us real faith that the solution would be able to support our long term testing needs”.
Choosing an SAST solution
So what should you look for in an SAST solution? Firstly, choose a tool that supports the language that your teaming is coding in. If your team is coding in several different languages, be sure to choose a platform that includes them all. Secondly, choose a tool that matches the scale of your coding operations. If you need enterprise support and the ability to track vulnerabilities across teams, don’t settle for a solution that was designed for a standalone coder.
Thirdly, look for integration into existing development workflows with minimal impact to developers’ daily routines. This is essential to get developer buy-in and widespread adoption. Finally, budget properly for the solution you need. Open source might seem a low-cost solution but patching together a solution of tools adds complexity, and managing that complexity is costly in terms of wasted time. Such hidden costs and the lack of centralized metrics can be avoided with commercial solutions that offer proper support.
This is a QuestexAsia feature commissioned by Synopsys.