Choosing the right static analysis software requires multiple components: 1. What are my business requirements and do I have champion BUs 2. What does your application portfolio look like (Lang. developed, Line of Code, etc.) and do we have a complete application inventory. 3. Who will manage the software and do they have the skillset (be honest, most teams ASSUME they do) 4. Next have a Proof Of Value with well defined POV success criteria that you've gathered from the BUs. 5. When looking at a Static Code Analysis software vendor, you may want to scope what Software Composition Analysis they integrate with as well. Over the past few years this has been highly critical part of AppSec programs. For instance, Veracode has their product SourceClear...CheckMarx previously integrated with WhiteSource, but that relationship ended. Synopsys has been working on their integration with Coverity and BlackDuck. Finally Fortify takes the vendor neutral approach and has integrations with BlackDuck, WhiteSource and Snyk where the plugins are open source and maintained by the vendor. Fortify's integration with SonaType takes it a bit deeper to validate if and where the 3rd party/open source code is instantiated within your code.
Key takeaway, many organizations will use 1 or more Static Code Analysis vendors to meet the business' needs. If you need a unified dashboard reporting for them all look at Saltworks Security Saltminer or contact me (Shameless plug)
Choosing the right static analysis software requires multiple components:
1. What are my business requirements and do I have champion BUs
2. What does your application portfolio look like (Lang. developed, Line of Code, etc.) and do we have a complete application inventory.
3. Who will manage the software and do they have the skillset (be honest, most teams ASSUME they do)
4. Next have a Proof Of Value with well defined POV success criteria that you've gathered from the BUs.
5. When looking at a Static Code Analysis software vendor, you may want to scope what Software Composition Analysis they integrate with as well. Over the past few years this has been highly critical part of AppSec programs. For instance, Veracode has their product SourceClear...CheckMarx previously integrated with WhiteSource, but that relationship ended. Synopsys has been working on their integration with Coverity and BlackDuck. Finally Fortify takes the vendor neutral approach and has integrations with BlackDuck, WhiteSource and Snyk where the plugins are open source and maintained by the vendor. Fortify's integration with SonaType takes it a bit deeper to validate if and where the 3rd party/open source code is instantiated within your code.
Key takeaway, many organizations will use 1 or more Static Code Analysis vendors to meet the business' needs. If you need a unified dashboard reporting for them all look at Saltworks Security Saltminer or contact me (Shameless plug)