The pros and cons of cloud-based static code analysis tools

Using the cloud can streamline secure software development, but comes with challenges and risks.

An increasing number of security functions are moving to the cloud, including development tools such as static...

code analysis. Cloud-based static code analysis tools offer organizations convenience and cost savings, but their effectiveness still relies on the developers using them, experts say.

That's really the beauty of cloud provisioning: You turn it on when you need it and you turn it off when you don't.

Ed Adams,
president and CEO, Security Innovation, Inc.

Cloud-based static code analysis "is essentially where you take the traditional functionality of reviewing code for security issues and you rely on a third-party vendor to take your code and scan it in the cloud for you," said Frank Kim, founder and principal consultant at security consulting firm ThinkSec and curriculum lead for application security at the SANS Institute. With the Software as a Service (SaaS) model, organizations upload executables to the vendor, he said.

According to Ed Adams, president and CEO at Security Innovation Inc., a Wilmington, Mass.-based firm that provides software security training and assessment services, market demand for application security has pumped new life into static analysis. "Every day, we're analyzing some piece of software or recommending how organizations can improve their software development lifecycle (SDLC), and a critical component to that is static analysis. And over the last couple of years, we’ve seen a fair amount of movement from desktop [tools] to an automated service," he said.

Using cloud-based tools relieves the security team from some of the burden associated with static analysis. "A big hurdle with any application security process or tool is getting the expertise in-house to maintain that capability. Getting the infrastructure up and running, evaluating results, false positives -- an expert has to read through all of that. If you can offload some of that intensive labor stuff, then you can direct resources into more valuable areas," Kim said.

Because cloud services eliminate capital expenditures, cloud-based static code analysis tools also offer more flexibility. "The different vendors have different capabilities depending on the language and nature of the application," Kim said. "It might behoove you -- if you are a large organization and you have apps written in different languages and platforms -- to test those different technologies with different cloud-based vendors because they may have different strengths based on where they come from historically."

Adams said his company chooses a tool based on its strengths for a given project. It may lease a tool for a month, use it as much as needed, and then turn it off. "That's really the beauty of cloud provisioning: You turn it on when you need it and you turn it off when you don't, as opposed to a desktop tool where you pay for a licensing fee whether or not you're using it," he said.

Cloud-based static code analysis challenges

However, a cloud-based tool is worthless if developers are not applying the results. The tools do a good job flagging vulnerabilities, but they only do a rudimentary job on telling you how to fix them, Adams said. "They don't give secure coding guidance so that a developer can get ahead of the next time a scan is done to make sure the same vulnerability doesn't occur. That's the most expensive part -- recurrence of the same vulnerability because the developer doesn't know how to develop securely.

"Integrating static analysis into the SDLC is the biggest stumbling block," Adams said. "Ultimately, static analysis has to come back to and reside with the developer. A lot of organizations have a centralized security chain that runs static analysis as an audit as opposed to an integrated part of an SDLC. It's not a flaw, but it's a stumbling block to using static analysis successfully."

Kim agreed that the people and process aspect of secure software development is critical.

"Like anything else, it turns into shelfware if you don't have the process and people to support it internally. You need a sustainable software security initiative already in place. You need the appropriate people and processes lined up to make sure they can take full advantage of it," Kim said.

Cloud security risks

The cloud brings with it security concerns, and that is no different for cloud-based static code analysis. "When you have a product behind your firewall, on desktops, you don't have to worry about sending sensitive data outside your firewalled network. If you're using a cloud provider, you need assurance that the cloud provider has sufficient controls in place to protect your data throughout the lifecycle," Adams said.

Chris Wysopal, co-founder and CTO at Veracode Inc., a Burlington, Mass.-based provider of cloud-based application security services, advises companies to ask service providers how their data is protected when it's in the cloud, and to inquire about procedural controls as well as technical controls. Procedural controls include employee background checks, internal checks and balances, auditing, and the policies and processes around remediation, he said.

Adams said his organization requires assurances before they will begin using a new tool. "They've got to not just attest to it in writing; they've got to show it to me," he said. That means getting proof, in the way of code reviews and demonstrations, that the company is implementing security measures. "Once we get past that barrier then we can reap the benefits of scale, licensing. It's a great thing when you have what you need when you need it at less than the cost of the product," he added.

About the author
Crystal Bedell is a freelance technology writer specializing in information security, cloud computing and computer networking. She can be reached at
[email protected].

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus