Application Source Code Scanning
Application Source Code Scanning Information
Application Source code scanning provides a fully automated mechanism to identify potential security vulnerabilities in the source code of an application. By identifying coding flaws and design errors that put data and operations at risk prior to deployment, source code scanning is an integral part of a comprehensive Application Security program.
Key activities include:
- Automated scanning of key source code leveraging a commercial or open source scanner designed for the particular language being used; and
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Automated Code Scan are:
- It can be an effective method to identify functionality and syntax errors;
- Can be used to focus manual code review on problematic sections of code;
- Can be used post Vulnerability Assessment to more quickly identify the coding flaw responsible for a particular vulnerability; and
- Can be used to enforce compliance with relevant coding standards in the Security Development Life Cycle.
Application Source Code Scanning: Best Used
- For larger applications where manual code reviews are not practical; and
- As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical applications.