Description

Mailing List: http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Want to Join? Contact Sherif Koussa.

Status: In Progress.

Static Code Analysis is the analysis of software code without actually executing the binaries resulting from this code. Static code analysis aims at automating code analysis to find as many common quality and security software issues as possible. There are several open source and commercial tools available in the market for individual organizations to choose from.

This project will specifically define a common criteria for evaluation of SAST (Static Application Security Testing) tools for individual organizations. This evaluation criteria will not include information specific to any vendor nor will it even mention any vendor! This guide is intended to assist organizations in the procurement of SAST tools.

Web Application Security Consortium is looking for contributors for this project, namely researchers, academics, vendors, software developers and security professionals. If you like to get involved with this project, please contact Sherif Koussa.

Target Audience: 

The target audience of this document are the technical staff of organizations dealing with software security issues. The document will take into consideration those who would be evaluating the tool and those who would actually be using the tool. Most of the time these two groups are the same, but some time they might not.

Scope: 

The purpose of this document is to develop a set of criteria that should be taken into consideration while evaluating Static Code Analysis tools for security testing. Every software organization is unique in their environment. The goal is to help organizations achieve better application security in their own unique environment, the document will strictly stay away from evaluating or rating tools. However, it will aim to draw attention to the most important aspects of static analysis tools that would help the target audience identified above to choose the best tool for their environment and development needs.