Developer-Led Code Security: Why False Positives Are Worse than False Negatives

3 years ago 165
BOOK THIS SPACE FOR AD
ARTICLE AD

24. July 2021

This article has been indexed from DZone Security Zone

Most SAST tools target security compliance auditors. Their goal is to raise an issue for anything even remotely suspicious. There’s no fear of false positives for those tools because the auditors will figure it out; after all it’s the auditors’ job to sort the wheat from the chaff and the signal from the noise. But the industry should rally around efforts to kill all that noise. There’s little tolerance among developers for crying wolf. SAST players should listen to developers and follow the guiding principle to prefer “reasonable” false negatives to raising false positives.

What does that mean in practical terms? Well, let’s play with some numbers. Let’s say you have a codebase with 12 Vulnerabilities. That’s 12 things that absolutely need fixing. A typical SAST analysis might raise 500 issues in total, and then the auditors will spend X weeks sorting through that to bring you, the developer, the audit result maybe a month or so after you’ve moved on to other code. 

Read the original article: Developer-Led Code Security: Why False Positives Are Worse than False Negatives

Read Entire Article