[Guest Blogger] Kevin Lam Thoughts on Code Scanning Tools
[Guest Blogger] Thoughts on Code Scanning Tools
Information managers, developers and testers commonly make the mistake of seeing code scanning tools as replacement for security QA processes. As a result they get a false sense of security about their software development lifecycle. Rather than using code scanning tools as a QA team replacement, think of code scanning tools an enforcement mechanism to help ensure that developers are following best practices and more importantly application security development policies.
Secondly tools need to be tightly integrated into a SDLC and not done as a one-off exercise. I visit a lot of customers each year to train them on developing applications securely and often ask them about their development processes and where tools fit into those processes. A common, almost consistent, response I hear is “developers run tools if they know they exist and if they remember.” Ouch. One way in which I’ve helped customers in the past is to integrated tools as a direct gate within their SDLC. Failure to complete this step affects the developer’s ability to proceed forward. As I always say, there’s a difference between what you say you do, and what you actually do.
Another common request from customers I get is for me suggest to them which is the ‘best’ tool. My response: potato. There is no best tool per se, but rather there is a best tool that meets their code scanning requirements. In order for a tool to be identified, I help my customers define those requirements first – otherwise they’ve just purchased or downloaded a tool that they have no idea whether or not is adding value or not.
Have fun scanning!
Kevin Lam
Senior Security Technologist
Microsoft ACE Security Services
 | | Kevin Lam is a Senior Security Strategist at Microsoft with over 7 years experience in information security. At Microsoft he is responsible for conducting security assessments (security code review, penetration testing and architectural review) for high valued targets such as XBOX Live, Windows, .NET Framework, MSN Money and critical business services. Kevin is also responsible for driving security strategy and policy changes across Microsoft company-wide and works closely with senior management. He recently published a book for Microsoft Press titled “Assessing Network Security” (ISBN: 0-7356-2033-4) that has received excellent reviews industry-wide, and has also been published in literature such as TechNet magazine. He is a frequent speaker and has participated on several expert security panel discussions. |
