[WEB SECURITY] Static Source Code analysis Methodology

Sebastian Schinzel ssc at seecurity.org
Mon May 9 14:46:08 EDT 2011


Hi Pam,

I guess you are looking for advice on who to use a SCA tool to do
a security assessment?

For starters, it works like this:

1. Install SCA tool
2. Run tool an large code basis
3. Learn that the tool produces > 1.000 potential findings
4. Panic!
5. Call management and tell them about the amount of findings
6. Listen to them panic
7. Show the findings to developers
8. Listen to them call you names
9. Learn that "potential findings" are not necessarily real findings

... *kidding*

But seriously, I think SCA does not have a standard methodology by
itself, but SCA *is part* of a standard methodology called secure software
development.

If you are implementing SCA for a development group that has never worked
with SCA, I advice you to take one of the senior developers and an experienced
SCA consultant and scan the code with them.

Regards,
Sebastian

On May 7, 2011, at 8:09 PM, Parmendra Sharma wrote:

> Hi All,
> 
> In one of my upcoming assignment, i need to perform Static Source Code analysis (SSCA) and prior to this i need to explain about the 'Standard Methodology' which will be followed for performing SSCA.
> 
> I need to know which standard methodology is generally followed for SSCA process.
> 
> -- 
> 
> Thanks and Regards:
> Pam
>  
> Parmendra Sharma
> Application Security Consultant
> email: s.parmendra at gmail.com
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

---
Sebastian Schinzel, M.Sc.

Lehrstuhl für Informatik 1
IT-Sicherheitsinfrastrukturen

Am Wolfmantel 46
91058 Erlangen

Tel.:		+49 (0) 9131 / 8525300
Mobil:	+49 (0) 151 / 15215206
Fax:		+49 (0) 9131 / 8525319
Web: 	www1.informatik.uni-erlangen.de
Email:	sebastian.schinzel at informatik.uni-erlangen.de





More information about the websecurity mailing list