Good Attributes to Watch Out For
There are many great static analysis tools available on the market today. Many of them offer great features and promise to secure your application from unique and isolated threats. Matching the static analysis tool to your specific development process can mean the difference between a painful process and a seamless integration with your current development process.
The most obvious requirement for any static analysis tool is to make sure it integrates well with your current development environment. Whether it's a plug-in for Eclipse or an add-in for Visual Studio, make sure that it works well and does not require too much hardware overhead such as extra processor power or memory. It's no fun to be forced to upgrade all the development machines to get a new static analysis tool to work. Also, make sure that the static analysis tool you choose supports not only the programming languages you are using currently, but any anticipated languages.
Many static analysis tools are definition based, which allows you to update them as new vulnerabilities are discovered. This is a great feature which can save you a lot of time and money down the road. Also look for a static analysis tool that will let you write your own definitions. This will allow for even tighter coupling between the base static analysis tool and your internal best practices.
Ask your current development team if they have suggestions for static analysis tools that they've found to be effective. Ramp-up time on these tools can be significant so if there is a developer who is already experienced with a tool it may be worthwhile to use that developer as a resource when deploying the tool. If you do not gravitate towards a specific static analysis tool, consider the overhead time it takes to train the development team on each tool and the support that will be provided by the static analysis tool company.
Before Deploying a Static Analysis Tool
Before diving into the use of static analysis tools, consider deploying a few on small projects to get a feel for their usability and ability to integrate with tools already being used in your development shop. These small projects can range from small mockup projects specifically designed to test the tool to testing the whole project for a short amount of time. If you choose the latter, understand that there will be a lot of overhead time as the developers learn a new tool.
When deploying a new tool, be sure to appoint a dedicated team member who will master the tool. This person should understand all the features of the tool and how to apply them to the current project and be a heavily trained and competent developer.
For static analysis to be most effective, it must be coupled with security awareness training for developers so they can understand the threats and readily interpret and act on the results. There are a number of secure coding courses, which range from classes which assume no previous security knowledge to advanced security courses which challenge developers to understand secure development practices completely. However, make sure the source of your training is well-qualified and knowledgeable--there are many self-styled experts ready to pass themselves of as application development, testing and security gurus.
Remember, too, once you receive training and feel knowledgeable in the field of application security, make sure to tap into the services of external security testers to help audit and gauge your performance. Keep security in the front of your mind throughout the development process to ensure more secure products that will delight your customers.