Go to kintent.com

Docy Child

Updated on February 28, 2023

APPS- 3 Static Code Analysis

Estimated reading: 2 minutes 573 views

What is this control about?

Static code analysis is a method of examining source code before a program is run. This is a best practice usually performed as part of the code review process.

The most important factor is ensuring that the tool used to perform the analysis is running automatically every time, and follow-up actions are taken promptly (within a reasonable timeframe) to remediate any issues that arise. As an organization, you must prioritize issues to remediate, and define the timeline for resolving them yourself — there are no strict mandatory timelines or prioritization requirements.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Vulnerability Scanning Tools
Veracode
Snyk
Reshift Security
SonarQube
Bandit
Brakeman

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • N/A – no templates recommendation

Control implementation

Note: This control is automated by TrustCloud. Connect your system to enjoy the benefit of automation

For a manual implementation: 

Install a tool to scan and analyze all production code for vulnerabilities

  • The tool must be configured to run continuously, or on a frequent schedule (schedule is up to each company to determine)
  • The tool must be configured to send a notification or alert when issues are found

Implement a formal and repeatable way to resolve any issues identified. The issues must be resolved timely (timeliness is up to each company to define)

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

  • Provide screenshots of the the tool’s settings screen(s), showing that it is configured to continuously or frequently analyze your code
  • Provide a remediation ticket or document outlining issues found through the tool, which shows that actions were taken to remediate the issue

Evidence example

From the suggested action above, an example is provided below.

    1. Screenshots of the configuration settings of the tool showing that it runs code analysis review.
      Example of a tool:
      apps 1 screenshot1
    2. Provide a remediation ticket or document related to the issues found and action steps taken to remediate the issue.
      Example of remediation configuration (This can include more detailed evidence of remediation)
      apps 1 screenshot2
Vulnerability Management - Previous APPS- 6 Common Web Vulnerabilities

Join the conversation

ON THIS PAGE
SUBSCRIBE
FlightSchool
SHARE THIS ARTICLE
Twitter Facebook LinkedIn

FlightSchool is the fun way to learn about compliance, trust, and TrustCloud’s products.

© 2023 TrustCloud Corporation. All rights reserved.
TrustOps® is a registered trademark of TrustCloud Corporation.

FlightSchool RSS Feed

TOPICS

Platform

ABOUT US

AICPA
Monitored by TrustCloud

❤️  Joyfully crafted by a 100% distributed team.