Increase the Value of Static Analysis by Enhancing its Rule Set

Static analysis tool vendors are debating whether to allow their customers a rule-set tailored to their environment. There is no empirical evidence to support each argument or counter-argument. Veracode does not accept custom rules and argues that lock-down is in their customers best interest. Checkmarx enables their customer to customize a rule-set under very special license agreements, while open-source tools such as SonarQube allow for complete customization. Putting vendor concerns and priorities aside, should the enterprise add a tailored rule-set by adding rules that enforce its secure coding standards too? More importantly, does a tailored rule-set increase the value of static code analysis to the business? In this study, four different static analysis tools Veracode, IBM AppScan, Burp Proxy Scanner and SonarQube scan a JavaScript application. After showing the limitations of the default rule-set for each scanner, the research study adds rules that cover the distinct design and coding standards of the sample application. It is not possible to add a custom rule-set to every scanner. For that reason, the experiment adds the tailored rule-set to the SonarQube platform and combines the results of the two scanning tools: the one tool enforces security standards while the other finds common flaws in the code. While prior research shows that combining the strengths of multiple code analysis tools deliver better results in general, this research study proves that a tailored rule-set improves the outcome even more. The research undertaking recommends practical steps to increase the coverage of automated static analysis and maximize its value to the enterprise.