I’m looking for some feedback from you all on static analysis tools today and whether you can implement these tools without breaking the bank. If you follow me on Twitter you might have noticed that I’ve started a vendor selection process for a static analysis tool to compliment our manual processes here at Realex Payments. I know these tools aren’t cheap but I had a budget in mind which I thought would get us a solution that meets most of our requirements – boy was I wrong! I’m being realistic with our requirements, I can’t justify the cost of implementing an all singing all dancing, integrated into “everything” static and dynamic analysis solution but the figures I had in my mind would make the static analysis solution the largest application security expense for the company after application security resource salaries.
Are commercial static analysis solutions only affordable by consultancies and large software companies and are they actually worth that much money? I’m not trying to cause an argument or a flame war; I’m genuinely interested in people’s opinions on this.
We have a very strong SDLC with security ingrained throughout and this includes the use of some open source/free static analysis tools such as Findbugs, RIPS and CodePro AnalytiX to compliment our manual reviews. We also use in house tools such as Agnitio and have a commitment to conduct manual reviews of all code changes before they are deployed into production and we are currently trying to hire another application security analyst to ensure the manual review process continues to be executed twice per project.
So now I’m looking for opinions from you all on what you have done from a static analysis point of view. What has worked for you? Are these commercial tools genuinely worth the money and do the downsides (false positive for example) outweigh the positives in your experience? What vendors have you used and would you recommend them to another company, if yes why? What do we gain from buying an expensive commercial solution versus buying cheaper solutions such as Klocwork Solo to use in conjunction with the tools mentioned above and expanding in house tools such as Agnitio to include automated code crawling capabilities?
On a slightly different note I wonder if the cost of these application security solutions has a bearing on the low application security spend pointed out by Gunnar Peterson and Jeremiah Grossman recently? If I’m a manager/CxO looking at the cost of these solutions I’d be expecting miracles from them, in fact I’d probably point to the (much) lower cost of our network security solutions and ask why there is such a big difference! If the manager/CxO can hire 4 or 5 members of staff for the cost of an application security solution guess where the money is going to go……
I’m looking forward to hearing what you all think about this!