No Clearance for This Secret: Information Assurance is MORE Than Security
John Keane’s presentation: Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security was a great learning experience for me and many in the audience of the recent CAST / Galorath seminar in the Washington DC area.
The most striking conclusions from my viewpoint were:
Most forms of testing only find about 35% of the bugs that are present
Static analysis prior to testing is very quick and about 85% efficient
Static analysis tools find many defects and code violations and have an ROI on any serious project
Use of static analysis tools BEFORE manual peer reviews (which shouldn’t be completely eliminated based on static analysis) reduces cost and increases reliability
Use static analysis tools before security analysis tools. This reduces the effort in security analysis by a huge amount.
- QUALITY is the biggest driver of sustainment cost
- The FOUNDATION of SECURE software is QUALITY software.
- Software Assurance is 5 parts Code Quality with 2 parts Software Security.
- Code Quality scans should ALWAYS precede Security scans
- Improves effectiveness and efficiency of the security scans (e.g., remove ‘false positives,’ focus on highest risks, etc.)
- Recommended Best Practice
- Validated by MULTIPLE reports and analyses based on hands-on experience
- Discovers risks in addition to security (e.g., performance)
John points out that Static code analysis, Static security analysis, Dynamic code analysis, Dynamic security analysis, and Architectural analysis are all helpful in building secure software.
Thank you for reading “Dan on Estimating”, if you would like more information about Galorath’s estimation models, please visit our contact page, call us at +1 310 414-3222 or click a button below to ask sales questions, sign up for our free library or schedule a demo.