This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ign-off in past 6 months
✦✦>80% of projects with access
to automated code review
results in past 1 month B. Integrate code analysis into development process Add’l Costs
✦✦Research and selection of
code analysis solution
✦✦Initial cost and maintenance of
✦✦Ongoing project overhead from
automated code review and mitigation Add’l Personnel
✦✦Developers (1-2 days/yr)
✦✦Architects (1 day/yr)
✦✦Managers (1-2 days/yr)
✦✦Security Auditors (3-4 days/yr) SAMM / The Security Practices - v1.0 Related Levels 64 ✦✦ Once a code analysis solution is selected, it must be integrated into the development process
to encourage project teams to utilize its capabilities. An effective way to accomplish this is to
setup the infrastructure for the scans to run automatically at build time or from code in the
project’s code repository. In this fashion, results are available earlier thus enabling development teams to self-check along the way before release.
A potential problem with legacy systems or large ongoing projects is that code scanners will
typically report findings in modules that were not being updated in the release. If automatic
scanning is setup to run periodically, an effective strategy to avoid review overhead is to
limit consideration of findings to those that have been added, removed, or changed since
the previous scan. If is critical to not ignore the rest of the results however, so development
managers should take input from security auditors, stakeholders, and the project team to
formulate a concrete plan for addressing the rest of the findings.
If unaddressed findings from code review remain at release, these must be reviewed and accepted by project stakeholders. Code Review CR 3 Mandate comprehensive code review process to discover language-level and application-specific risks A. Customize code analysis for application-specific concerns
Code scanning tools are powered by built-in a knowledge-base of rules to check code based
on language APIs and commonly used libraries, but have limited ability to understand custom
APIs and designs to apply analogous checks. However, through customization, a code scanner can be a powerful, generic analysis engine for finding organization and project-specific
While details vary between tools in terms of ease and power of custom analysis, code scanner customization generally involves specifying checks to be performed at specific APIs and
function call sites. Checks can include analysis for adherence to internal coding standards,
unchecked tainted data being passed to custom interfaces, tracking and verification of sensitive data handling, correct usage of an internal API, etc.
Checkers for usage of shared code-bases are an effective place to begin scanner customizations since the created checkers can be utilized across multiple projects.To customize a tool
for a code-base, a security auditor should inspect both code and high-level design to identify
candidate checkers to discuss with development staff and stakeholders for implementation. B. Establish release gates for code review
To set a code-level security baseline for all software projects, a particular point in the software development life-cycle should be established as a checkpoint where a minimum standard for code review results must be met in order to make a release.
To begin, this standard should be straightforward to meet, for example by choosing one or
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14