Most computer security incidents can be traced back to weaknesses in software that were inadvertently put there when the code was developed. Attackers can – and very often do – find and exploit such weaknesses as a means to attack your enterprise applications. Before you ship or procure another software application, you need to assess if weaknesses in its source code put your enterprise at risk.
What many do not know is that SAST tools are specialized, and each tends to focus on just a subset of the universe of possible weaknesses. No single SAST tool finds even a majority of the weaknesses in software. The Center for Assured Software’s 2010 benchmarking study revealed that the average SAST tool covers only 8 of 13 weakness classes, and finds only 22% of the flaws in each weakness class. So your average SAST tool is likely to find only 14% of the vulnerabilities in your code. And each tool tends to find different classes of weaknesses: there is little overlap between the results of different tools.
Whether your need a Black Box Test, or a Full on review of the environment such as a White Box Test, our experienced professionals are able to analyze and validate your design, controls, and security is properly in place.
Many companies use the automated tools to perform a Rapid Scan. Our Professionals are able to employ their own assessments using Manual techniques as well, Dynamic Analysis, as well as implementing a correlation of the results to show the effectiveness of the assessments. If you only are finding 14% of the issues, how effective is your current process?