You are probably thinking, what the heck is this guy talking about. I didn’t even know there was a Static Analysis 1.0 or 2.0, so how can there be a Static Analysis 3.0?
Static Analysis as a foundational Application Security platform has been around since the early 2000s. It has evolved to fit with the changes in how software and applications are written and released. Yes, I am talking about DevOps or, if you prefer, DevSecOps and aggressive CI/CD release pipelines.
Which do you prefer?
Speaking of DevOps and DevSecOps, which term do you use?
I have been scolded a few times by industry experts when I use DevSecOps as I have been told that security is an integral part of DevOps, so you don’t need to call out the “Sec” specifically.
DevOps and DevSecOps are the same things as DevOps is nothing without security, so why are we confusing things with two terms that mean the same thing.
So from now on, I am just going to use DevOps – the “Sec” is silent (jk).
Back to the topic at hand: Party like it’s 1999
When Static Analysis came into being around the year 2000, software and application development were much different. Monolith applications were the norm with very slow-release cycles, so it wasn’t a massive deal for Static Analysis to be an out of band process.
Integrations and Automation were minimal and were tied to ANT, MAVEN, or MAKE files. Scans took a long time and had to be rerun from scratch every time code was updated.
We will call this approach Static Analysis 1.0.
It was much better than manual code reviews that were prone to miss issues and was much faster than a human could review code, so it was an improvement.
When I think of manual code reviews vs. Static Analysis, this cartoon always comes to mind. It took a while for people to change their thinking, but Static Analysis was here to stay when they did. Some of the vendors you might recognize being in the Static Analysis 1.0 time frame are Coverity, Fortify, and Ounce Labs.
What changed, and what is Static Analysis 2.0?
The answer to that question is easy.
The way software and applications are developed changed dramatically. Welcome to the DevOps party. Applications are no longer monoliths and are released much more frequently with aggressive CI/CD pipelines. There isn’t time for an out-of-band Static Analysis Scan to happen anymore.
Based on the playing field evolving so dramatically, Static Analysis vendors changed how they implemented it. Integrations into Continuous Integration (CI) platforms were a must. Instead of being a side process, Static Analysis had to be part of the process. The more integrated and automated into DevOps, the better.
Also, it was no longer practical for Static Analysis scans to be completely rerun even if only one line of code changed, so incremental scanning came to light. I give you Static Analysis 2.0.
Some of the vendors that you might recognize in the Static Analysis 2.0 time frame are Checkmarx and Veracode.
It was good at the time, but it can get better
Can you think of something that you thought was amazing and never thought it could get better when it initially came out?
Static Analysis 2.0 is much better than Static Analysis 1.0 because it fits better in today’s world of application development, but what does the future hold? I am dating myself a bit, but I thought the Atari 2600 was the most amazing thing when I was a kid, and it could never get any better than that.
I couldn’t even imagine what a Nintendo could do.
Static Analysis 3.0 is the next step in the evolution
You are probably thinking, ok, I get the differences of Static Analysis 1.0 vs. Static Analysis 2.0, but what the heck is Static Analysis 3.0?
Static Analysis 3.0 is repurposing Static Analysis as we know it to solve a huge problem: the ability to have a complete architectural risk understanding of your applications.
Static Analysis has historically been used to understand security vulnerabilities as unique entities. You would scan an application with a Static Analysis solution and get back a list of individual issues.
The problem is these issues were all specific to themselves. They did not consider how they related to other security issues or ever-changing application architecture.
Static Analysis 3.0 is static analysis that provides a complete architectural map of your application that allows you to identify drift, PII leakage, compliance, dangerous data flows, and much more.
Instead of viewing your application through an application security vulnerability lens, you view your application through an architecture risk lens that allows you to understand the current security risk and potential security risk.
The only current vendor taking the approach is Bionic.
If Static Analysis 1.0 is an Atari 2600 and Static Analysis 2.0 is an original Nintendo, then Static Analysis 3.0 is a Playstation 5.
I don’t know about you, but I would rather play games on a PlayStation 5 than an original Nintendo or Atari 2600. I would also rather scan my applications with Static Analysis 3.0 over 1.0 or 2.0.
I am not saying that Static Analysis 1.0 or 2.0 vendors were bad.
They worked well during their time frame, but we face a huge issue associated with very aggressive DevOps, specifically CI/CD release cycles. The code is changing so rapidly that it is hard to handle what companies think their application architecture looks like and what it is.
The only solution to this problem is Static Analysis 3.0.