Docy Child

APPS- 3 Static Code Analysis

Estimated reading: 2 minutes 573 views

What is this control about?

Static code analysis is a method of examining source code before a program is run. This is a best practice usually performed as part of the code review process.

The most important factor is ensuring that the tool used to perform the analysis is running automatically every time, and follow-up actions are taken promptly (within a reasonable timeframe) to remediate any issues that arise. As an organization, you must prioritize issues to remediate, and define the timeline for resolving them yourself — there are no strict mandatory timelines or prioritization requirements.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Vulnerability Scanning Tools
Reshift Security

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • N/A – no templates recommendation

Control implementation

Note: This control is automated by TrustCloud. Connect your system to enjoy the benefit of automation

For a manual implementation: 

Install a tool to scan and analyze all production code for vulnerabilities

  • The tool must be configured to run continuously, or on a frequent schedule (schedule is up to each company to determine)
  • The tool must be configured to send a notification or alert when issues are found

Implement a formal and repeatable way to resolve any issues identified. The issues must be resolved timely (timeliness is up to each company to define)

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

  • Provide screenshots of the the tool’s settings screen(s), showing that it is configured to continuously or frequently analyze your code
  • Provide a remediation ticket or document outlining issues found through the tool, which shows that actions were taken to remediate the issue

Evidence example

From the suggested action above, an example is provided below.

    1. Screenshots of the configuration settings of the tool showing that it runs code analysis review.
      Example of a tool:
      apps 1 screenshot1
    2. Provide a remediation ticket or document related to the issues found and action steps taken to remediate the issue.
      Example of remediation configuration (This can include more detailed evidence of remediation)
      apps 1 screenshot2

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.