Reconciling Software Development Speed and Robustness with Optimally Balanced Static Application Security Testing

Developing and maintaining secure software is essential for modern safety-critical systems but is also a challenging problem for agile development teams. Proven security and fast development are natural antagonists which must be reconciled to minimize vulnerabilities while guaranteeing a prompt response to cyber incidents. This paper highlights the most common issues in this context and shows a proven strategy that makes “agile security” an achievable routine. The proposed approach is based on the best practices of industry leaders from various application domains and their use of static code analysis at the right time and with the proper scope and depth. It addresses the well-known resource problem (who does security and when?), the learning problem (how do developers learn, how do teams improve?), and how to deliver sufficient and consistent security evidence. With a clever balance of tools, automation, and feedback, cybersecurity can be quantified, incrementally improved, and delivered on time.

This paper was presented at Embedded World Conference 2023.