This study investigates static code analysis for security audit in an industrial and agile settings. The case study is Telenor Digital, located in Norway.
The study aims to understand the challenges for implementing a static code analysis tool from agile developers perspective. The study investigated static code analysis tools on a benchmark security test suite (NIST Juliet Test Suite) in order to make an informed decision by comparing the tools on the basis of their true positive rate and discrimination rate. Lastly, a post-evaluation of the implemented static analysis tool at Telenor was performed.
The results of this work shed more light on what are the challenges for implementing a static code analysis tool for security audit in an agile settings. The findings also identify the most important factors for adopting a particular tool, the trade-offs the teams are willing to make to adopt this kind of tool and the relevant metrics for tools evaluation in order to support adoption of such tools.
|