APPL-06

Do you subject your code to static code analysis and/or static application security testing prior to release?

Explanation

This question is asking whether your organization uses automated tools to analyze source code for potential security vulnerabilities before releasing software. Static code analysis and static application security testing (SAST) are processes where code is examined without actually executing it. These tools scan the codebase to identify potential security vulnerabilities, coding errors, and adherence to coding standards. Common issues detected include SQL injection vulnerabilities, cross-site scripting (XSS), buffer overflows, insecure cryptographic practices, and other coding flaws that could lead to security breaches. This question is being asked in a security assessment because: 1. Early vulnerability detection: Finding security issues during development is much less costly than fixing them after deployment 2. Standardized security practices: It demonstrates a commitment to secure development practices 3. Compliance requirements: Many regulatory frameworks (like PCI DSS, HIPAA) require or strongly recommend code analysis 4. Risk reduction: Regular code scanning reduces the likelihood of security vulnerabilities reaching production To best answer this question: - Be specific about which tools you use (e.g., SonarQube, Veracode, Checkmarx) - Explain when in your development lifecycle these scans occur (e.g., pre-commit, in CI/CD pipeline) - Mention how findings are prioritized and remediated - Describe any policies around blocking releases based on scan results - If you don't perform static analysis, explain any compensating controls you have in place

Example Responses

Example Response 1

Yes, our organization implements a comprehensive static code analysis process as part of our secure development lifecycle We use SonarQube for general code quality and Checkmarx for security-specific static application security testing These tools are integrated into our CI/CD pipeline, and scans are automatically triggered with each pull request and before any code is merged to our main branch Critical and high severity findings must be remediated before code can be promoted to production Our security team reviews the scan results weekly and works with development teams to address any identified vulnerabilities We also conduct quarterly manual reviews of scan configurations to ensure we're using up-to-date rule sets and detection patterns.

Example Response 2

Yes, we employ static code analysis and SAST as part of our development process Our approach involves multiple layers: developers run pre-commit hooks that include ESLint and security-focused plugins to catch basic issues before code is committed In our CI pipeline, we use Veracode Static Analysis which scans all code changes Additionally, we run GitHub Advanced Security (GHAS) scans on our repositories Our security policy requires that all critical vulnerabilities must be fixed immediately, high-severity issues within 2 weeks, and medium-severity issues within 30 days We track remediation metrics and include them in our quarterly security reviews We've found this multi-layered approach helps us catch different types of issues at various stages of development.

Example Response 3

No, we currently do not perform static code analysis or SAST on our codebase As a small development team of three engineers, we've focused our limited security resources on other areas we've deemed higher priority based on our risk assessment, such as regular penetration testing and runtime application protection We recognize this is a gap in our security practices and have included implementing a static analysis solution in our security roadmap for the next quarter In the meantime, we conduct peer code reviews with security-specific checklists and have implemented secure coding guidelines that all developers must follow We understand this approach doesn't provide the same level of assurance as automated static analysis tools and are working to address this limitation.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron