Fraunhofer IEM - Enabling DevSecOps with the new Generation of Static Analysis

TECHNOLOGY

DevSecOps promises to leverage the advantages of continuous, integrated development and operations to produce more secure software, with rapid update cycles. Proper automation is key to any successful DevOps process, which is why DevSecOps requires effective security-testing automation.

Static analysis enables effective white-box security testing in early as well as later phases of the development lifecycle and is thus should be an important part of any DevSecOps tool chain.

In this talk I will present demonstrate how current scientific advancements allow for static analyses with excellent signal-to-noise ratios, yielding false-warnings rates of often under 5%. Those next-generation static analyses not just pinpoint security vulnerabilities but instantly provide suggestions on how to fix them, for instance by generating pull requests in your favourite continuous integration.

In result, next-generation static analysis tools aid developers in identifying and fixing vulnerabilities instantly, yielding a lean and cost-effective development process in which software vulnerabilities are prevented early on, but are also being prevented from being re-introduced during operation.