Why fixing software issues as you code matters and how Rapid Scan SAST can help.
It’s common knowledge that fixing bugs early in the software development life cycle (SDLC) is much faster and less costly than doing it later. However, did you know that developers prefer finding and fixing bugs as they code rather than getting a list of identified issues even just one day later?
To understand why this is the case, it’s helpful to consider how developers code and the mental effort of context switch. If developers must stop what they’re working on and address a different code issue a day later, it’s not only disruptive and time-consuming, it can adversely affect their productivity and willingness to fix issues. A research paper titled “Scaling Static Analyses at Facebook” found that providing fast issue feedback as part of code review (during a pull request) was critical to catching bugs early and getting high fix rates.
The paper also noted that relevance and developers’ familiarity with the specific code issues mattered as well. The researchers found that assigning 20 to 30 issues to developers after a nightly build resulted in very few, if any, of the issues being fixed. But providing them with analysis results quickly as part of a normal code commit/review process resulted in a fix rate of over 70%. The type of static application security testing (SAST) analysis and false positives rate was the same in both cases; it was the speed of issue feedback that had the greatest impact on fix rate.
Now imagine shifting even further left. If developers could find and fix code issues before they commit their code, wouldn’t that be even better?
Introducing Rapid Scan SAST
Rapid Scan SAST (powered by the new Sigma analysis engine) provides lightning-fast results in seconds for most projects, while developers are coding.
API and configuration checkers are also included to help identify API misuse and vulnerable configurations in settings files. Rapid Scan SAST is ideal for developers who want fast analysis feedback while they are coding, with every code commit/review, or with a full CI build. It offers support for multiple analysis output formats (SARIF, JSON, console) as well as GitHub Actions, and GitLab CI support provides pipeline scan automation and issue management. It’s also possible to assign issues to a policy file to automatically break builds as needed.
Rapid Scan SAST and Coverity are better together
Rapid Scan SAST is complementary to Coverity® and is now available to all Coverity customers. Use Rapid Scan SAST to get fast feedback as you are coding and for your normal code review workflows. And use Coverity for your nightly builds.
Coverity provides comprehensive analysis and has the broadest support for security compliance standards (e.g., OWASP Top 10, CWE Top 25, and PCI DSS) as well as code quality, safety, and reliability standards (e.g., MISRA, CERT C/C++, CERT Java, DISA STIG, ISO 26262, ISO/IEC TS 17961, AUTOSAR, and Nvidia CUDA). Coverity supports a broad set of languages and frameworks, integrations for industry-standard SCMs, CI build servers, and issue trackers, and it provides comprehensive reporting for on-premises as well as cloud-hosted development with Coverity on Polaris Software Integrity Platform®.
No need to choose; leverage the strengths of each: Rapid Scan SAST is best for blazing-fast analysis feedback at developers’ desktops, as they code. Coverity is best for deep, comprehensive static analysis and in situations where standards compliance, language and integration support, and comprehensive reporting and policy management features are required.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Anna Chiang. Read the original post at: https://www.synopsys.com/blogs/software-security/rapid-scan-sast/