New Report from Security Compass Highlights the Failings of Application Code Scanners

Scanners Alone Won't Catch Many Security Vulnerabilities -- Companies Must Also Invest in Software Security Requirements Management Processes and Tools

Toronto, Ontario, CANADA

TORONTO, ON--(Marketwired - June 28, 2017) - Security Compass, providing organizations with the knowledge, training and technology to make software secure, today announced the updated findings of its research examining Static Application Security Testing (SAST) tools. Used to analyze and identify security vulnerabilities early in the software development lifecycle, Security Compass researchers found that the exclusive use of SAST code scanners leave applications open to security risks.

The secondary research report, Gap Analysis of Code Scanners found that popular scanners are unable to catch all security vulnerabilities -- from developer intent to complier optimization -- often producing false negatives. A recent third-party study reveals up to 68 percent of buffer overflow vulnerabilities are not detected by some scanners and the Software Engineering Institute's CERT division states not all security vulnerabilities can be detected through automation.

Catching errors before deploying into a production environment can help reduce costs and improve software quality. Static and dynamic analysis security testing are important parts of the software development process. This research by Security Compass sought to identify where scanners are likely to miss vulnerabilities and offer readers expert advice on how best to address the gap left behind by relying on scanners only.

Key findings and conclusions featured in the report include:

  • Scanners, by nature, will always generate false negatives, including major risks;
  • Even critical security vulnerabilities, like buffer overflow, are missed more than 50 percent of the time by scanners; and
  • Secure code does not imply a secure build. Compilers can introduce security vulnerabilities.

"Our research indicates that reliance on scanners only will cover only half of known vulnerabilities -- leaving applications exposed to undo risk," said Altaz Valani, Director of Research at Security Compass. "Abstracting code to a higher level and applying software security requirements at the onset of the development lifecycle will give developers an opportunity to address virtually all known vulnerabilities and build better, more secure software."

Relying on code scanners for visibility into software's risk profile is ineffective and inefficient. Organizations should question their risk assumptions related to code scanners and conduct a deeper dive into the software development lifecycle (SDLC) process. Software security requirements must be considered early. To this end, Software Security Requirements Management (SSRM) best practices will better prepare organizations to seamlessly address advance security threats and manage risk without disrupting developers, or the software development process.

To download a complete copy of the report, "Gap Analysis of Code Scanners: A Deeper Dive into the Problem of False Negatives," go to:

About Security Compass

Security Compass is a software security company that provides professional services, training, and a first-of-its kind Software Security Requirements Management (SSRM) platform to help eliminate security vulnerabilities in mission-critical applications, minimize organizational risk, and easily meet regulatory and compliance standards. With Security Compass as a trusted information security partner, organizations can unify application security with business goals to build better, more secure software. Its flagship platform, SD Elements, is uniquely positioned to help organizations seamlessly introduce security requirements early in the software development lifecycle. The privately held company is headquartered in Toronto, Canada with global offices in the United States and India.

Contact Information:

Media Contact:
April H. Burghardt
PR Consultant for Security Compass