Developers Need More Usable Static Code Scanners to Head Off Security Bugs

My advice is to invest in your threat modelling process and tools to get a better return from ‘shifting-left’, especially given how unusable the lower level tools seem to be…:

[…] The research comes as developers are increasingly being tasked with taking responsibility for the security of their code, often by getting earlier results of security analyses as they write their code. The simplest form of such tools are linters — named after “lint,” a Unix-based code scanner — that use a variety of pattern matching and simple analysis to highlight potential code defects. More extensive static application security testing (SAST) tools perform a variety of analyses using source code to identify potential security vulnerabilities.

However, irrespective of how the tools perform, their usability is often an afterthought, said Smith, who conducted the research while a PhD student at North Carolina State University. The paper, titled “Why Can’t Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security,” describes a heuristic walkthrough approach to analyzing the software as well as a survey of users.


Read the original article here