A Security Practices Evaluation Framework

Apply Security Tooling

Use security-focused verification tool support (e.g. static analysis, dynamic analysis, coverage analysis) during development and testing.

Description

Use security-focused verification tool support (e.g. static analysis, dynamic analysis, coverage analysis) during development and testing. Static analysis tools apply verification rules to program source code. Dynamic analysis tools apply verification rules to running programs. Fuzz testing is a security-specific form of dynamic analysis, focused on generating progam inputs that can cause program crashes. Coverage analyzers report on how much code is ‘covered’ by the execution of a set of tests. Combinations of static, dynamic, and coverage analysis tools support verification of software.

Practice Implementation Questions

  1. Are security tools used by the project?
  2. Are coverage analyzers used?
  3. Are static analysis tools used?
  4. Are dynamic analysis tools used?
  5. Are fuzzers used on components that accept data from untrusted sources (e.g. users, networks)?
  6. Are defects created for (true positive) warnings issued by the security tools?
  7. Are security tools incorporated into the release build process?
  8. Are security tools incorporated into the developer build process?

Keywords

automate, automated, automating, code analysis, coverage analysis, dynamic analysis, false positive, fuzz test, fuzzer, fuzzing, malicious code detection, scanner, static analysis, tool

Use automated tools along with manual review.