In the last two decades, with the rise of mobile, web, and cloud applications with multiple deployment options such as on-prem, hybrid, and cloud, we have witnessed an increase in the usage of security tools targeted towards Software Development Life Cycle (SDLC) processes and workflows. Unfortunately, these tools often generate many false positives, which results in wasted time and significant frustration.
One of the main goals has been to find and remediate security vulnerabilities as early as possible in the SDLC (called “Shift Left”), resulting in less time and resources needed to fix those vulnerabilities, along with not dealing with negative impact on brand recognition if those vulnerabilities were found during the production stage. It is also much more difficult for the development team to “remember” what they did and how to fix those vulnerabilities after a certain amount of time has passed.
With the shift of software development to an “Agile” workflow, delivery of products/features/fixes has increased rapidly. There is a parallel rise in security tools usage in the software development life cycle, those tools are being used more frequently than ever.
Security Tools including Static Analysis, Fuzzing, Dynamic Analysis, and others are the default go-tos of CISO and security architect teams aiming to integrate Security into the SDLC, with the goal being to catch those security problems as soon as possible in the product development.
Unfortunately, more tools means more alerts, and these tools can combine to generate thousands of security alerts that will have R&D teams spending significant time reviewing and triaging. Because those tools lack the context of code flow, don’t integrate with each other and don’t truly understand the source code, they will generate a non-trivial amount of false positives.
Dealing with security alerts is a daunting task for developers and security architects as it asks them for meaningful time and resources to review the generated security alerts and triage them. Taking into consideration the short “Agile” development cycles of coding & shipping fast, developers and managers want to utilize and maximize their time.