Do you subject your code to static code analysis and/or static application security testing prior to release?
Explanation
Secure development practices are under review here, specifically whether you run static code analysis or static application security testing on your code before each release.
Static code analysis and static application security testing (SAST) are processes where code is examined without actually executing it. These tools scan the codebase to identify potential security vulnerabilities, coding errors, and adherence to coding standards. Common issues detected include SQL injection vulnerabilities, cross-site scripting (XSS), buffer overflows, insecure cryptographic practices, and other coding flaws that could lead to security breaches.
This question is being asked in a security assessment because:
- Early vulnerability detection: Finding security issues during development is much less costly than fixing them after deployment
- Standardized security practices: It demonstrates a commitment to secure development practices
- Compliance requirements: Many regulatory frameworks (like PCI DSS, HIPAA) require or strongly recommend code analysis
- Risk reduction: Regular code scanning reduces the likelihood of security vulnerabilities reaching production
To best answer this question:
- Be specific about which tools you use (e.g., SonarQube, Veracode, Checkmarx)
- Explain when in your development lifecycle these scans occur (e.g., pre-commit, in CI/CD pipeline)
- Mention how findings are prioritized and remediated
- Describe any policies around blocking releases based on scan results
- If you don't perform static analysis, explain any compensating controls you have in place
Example Responses
Example Response 1
Yes, our organization implements a comprehensive static code analysis process as part of our secure development lifecycle We use SonarQube for general code quality and Checkmarx for security-specific static application security testing These tools are integrated into our CI/CD pipeline, and scans are automatically triggered with each pull request and before any code is merged to our main branch Critical and high severity findings must be remediated before code can be promoted to production Our security team reviews the scan results weekly and works with development teams to address any identified vulnerabilities We also conduct quarterly manual reviews of scan configurations to ensure we're using up-to-date rule sets and detection patterns.
Example Response 2
Yes, we employ static code analysis and SAST as part of our development process Our approach involves multiple layers: developers run pre-commit hooks that include ESLint and security-focused plugins to catch basic issues before code is committed In our CI pipeline, we use Veracode Static Analysis which scans all code changes Additionally, we run GitHub Advanced Security (GHAS) scans on our repositories Our security policy requires that all critical vulnerabilities must be fixed immediately, high-severity issues within 2 weeks, and medium-severity issues within 30 days We track remediation metrics and include them in our quarterly security reviews We've found this multi-layered approach helps us catch different types of issues at various stages of development.
Example Response 3
No, we currently do not perform static code analysis or SAST on our codebase As a small development team of three engineers, we've focused our limited security resources on other areas we've deemed higher priority based on our risk assessment, such as regular penetration testing and runtime application protection We recognize this is a gap in our security practices and have included implementing a static analysis solution in our security roadmap for the next quarter In the meantime, we conduct peer code reviews with security-specific checklists and have implemented secure coding guidelines that all developers must follow We understand this approach doesn't provide the same level of assurance as automated static analysis tools and are working to address this limitation.
Context
- Tab
- Infrastructure
- Category
- Application/Service Security
Related questions
- Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?
- Are you using a web application firewall (WAF)?
- Are only currently supported operating system(s), software, and libraries leveraged by the system(s)/application(s) that will have access to institution's data?
- Does your application require access to location or GPS data?
- Does your application provide separation of duties between security administration, system administration, and standard user functions?
- Do you have software testing processes (dynamic or static) that are established and followed?

