Question APPL-13

Do you subject your code to static code analysis and/or static application security testing prior to release?

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

State your plans to implement static code testing practices into your environment.

Answering "YES"

Provide a list of all tools utilized during static code analysis or static application security testing.

Reason for Question

Code analysis (prior to implementation) can decrease the number of vulnerabilities within a system. Depending on the insight a vendor has into their code, code testing should be expected. When a vendor outsources their coding efforts, the use of a web application firewall may be appropriate. In this case, reference the vendor's response to their use of a WAF.

Follow-Up Inquiries

Ask the vendor what types of tools they use in testing and who performs the testing of the code. Are developers the ones running the security tests? If static code analysis and/or static application security testing is not conducted, point the vendor to OWASP's Testing Guide at https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents (opens in a new tab)

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]