6.6 - Why and how to test using brakeman

Tools that perform static analysis, scan your source code and look for certain patterns. They will not execute your code and cannot detect problems in dynamically generated code at runtime and are hence called static and not dynamic. Dynamic tools will run your code and check for errors generated at run time.
Why?
- Shift Security Left - SAST helps integrate security into the early stages of the software development lifecycle. This enables security testers to detect vulnerabilities in the proprietary code in the design stage or the coding stage when they are relatively easier to mitigate. If you leave security practices for the end, you might end up with security weaknesses in the production environment. Shifting security left helps reduce the risk and the costs associated with fixing security vulnerabilities. SAST can help evaluate both client-side and server-side vulnerabilities. The application security testing helps to identify vulnerabilities in the source code or binaries like SQL injection, cross-site scripting, buffer overflows, and much more. Real-time security testing allows vulnerabilities to be fixed before moving further along in the SDLC, helping prevent security issues from becoming serious risks for your end-users and your organization.
- Ensure secure coding - Secure coding is crucial for all software - whether you write code that runs on websites, computers, mobile devices, or embedded systems. Poorly coded software is an easy target for attackers and can be hacked to perform malicious activities. This could result in denial of service, loss of data, leakage of sensitive data, damage to software and systems of end-users, and even impact your organization’s brand reputation leading to further losses. SAST helps ensure that the software uses a strong and secure code. It helps developers verify that their code is in compliance with secure coding standards (for e.g. CERT) and guidelines before they release the underlying code in the production environment. Often, Scrum masters and product owners also leverage SAST tools to regulate secure coding standards within their development teams and organizations. This allows for a faster reduction of vulnerabilities and increased code integrity.
- Quick and Accurate - SAST tools can scan your code thoroughly and do it at a much faster pace than humans performing manual secure code reviews. We use SAST tools to scan millions of lines of code to automatically detect security vulnerabilities and mitigate them. At Cypress Data Defense, our security team experts ensure that security is embedded right into the code from the design phase to the final production. We know exactly how quickly developers roll out new updates and products, which means that security needs to catch pace with it as well. We use a range of automated SAST tools that we have been working with for years and have proven excellent in terms of performance and efficiency. These automated tools monitor the code regularly so you don’t have to worry about constantly checking on the code. Once you have the results from the automated testing, you can gain insights, derive useful analytics, and easily trace and fix vulnerabilities. In a nutshell, SAST tools help reduce the time it takes for developers to debug their source code
Customizations - specify output file (or multiple output files as json, html, etc), suppress informational warnings, see all debugging information, skip specific checks or run only certain checks, changing confidence levels, making it run faster, etc.