Skip to main content

Increase the Value of Static Analysis by Enhancing its Rule Set

Static analysis tool vendors are debating whether to allow their customers a rule-set tailored to their environment. There is no empirical evidence to support each argument or counter-argument. Veracode does not accept custom rules and argues that lock-down is in their customers best interest. Checkmarx enables their customer to customize a rule-set under very special license agreements, while open-source tools such as SonarQube allow for complete customization. Putting vendor concerns and priorities aside, should the enterprise add a tailored rule-set by adding rules that enforce its secure coding standards too? More importantly, does a tailored rule-set increase the value of static code analysis to the business? In this study, four different static analysis tools Veracode, IBM AppScan, Burp Proxy Scanner and SonarQube scan a JavaScript application. After showing the limitations of the default rule-set for each scanner, the research study adds rules that cover the distinct design and coding standards of the sample application. It is not possible to add a custom rule-set to every scanner. For that reason, the experiment adds the tailored rule-set to the SonarQube platform and combines the results of the two scanning tools: the one tool enforces security standards while the other finds common flaws in the code. While prior research shows that combining the strengths of multiple code analysis tools deliver better results in general, this research study proves that a tailored rule-set improves the outcome even more. The research undertaking recommends practical steps to increase the coverage of automated static analysis and maximize its value to the enterprise.

Download file

38260 (PDF, 2.89MB)

29 Jan 2018
ByMichael Matthee
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

Reducing Excessive Trust in the Web PKI Ecosystem

Research Paper

This research examines the possibility of developing an add-on for the open-source mitmproxy project to add drift detection for root Certification Authority (CA) certificates, incorporate policy-based controls over which CAs are allowed, and leverage an ensemble of existing technologies—some in novel ways—to reduce the level of trust placed in the public Web PKI.

  • 12 Mar 2026

Inside the Five Most Dangerous New Attack Techniques

Research Paper

This e-book represents the next evolution of that effort. Here, we take the five key topics presented from the keynote stage and expand them into four full-length chapters.

  • 8 Dec 2025
  • Heather Barnhart, Rob T. Lee, Joshua Wright, Tim Conway

Structural Vulnerability: Autodesk Revit Server WAN Exposure Versus Cost of Autodesk Construction Cloud

Research Paper

Autodesk Revit Server, a critical collaboration tool in the architecture, engineering, and construction (AEC) industry, was designed to operate within trusted networks.

  • 7 Nov 2025

Privacy Protections: Are Stronger Laws Changing What We Reveal?

Research Paper

As U.S. states enact privacy laws aimed at giving consumers more control over their personal data, little is known about whether privacy legislation influences individuals’ willingness to disclose their identity on public platforms.

  • 26 Sep 2025

Revolutionizing ISO 27001 Audit Evidence Collection: Steampipe as the Ultimate Tool

Research Paper

In the current landscape of increasing regulations, cyber breaches, and business risks, information...

  • 5 Dec 2024

Assessing Operational Technology: Using the ONG-C2M2 Model and CIS Controls to Assess Operational Technology (OT) Environments

Research Paper

Most small to medium-sized organizations rely heavily on CIS Controls (Center for Internet Security,...

  • 20 Dec 2023

Who Needs a Pentest: Validating the Configuration of an EDR Solution Using the MITRE ATT&CK Framework

Research Paper

Is that EDR suite fully configured, and providing the expected protection? Do we have a scalable way...

  • 7 Nov 2023

"Think Different" About Compliance: Is Effective, Automated macOS Configuration Achievable with NIST's macOS Security Compliance Project?

Research Paper

Information security compliance within the Apple macOS ecosystem is an especially challenging...

  • 21 Dec 2022

Risk Prioritization: An Examination of Published Exploitability Ratings

Research Paper

Businesses struggle to prioritize the remediation of vulnerabilities in their environment. One...

  • 27 Jan 2022

Ransomware Impact Assessments: Guidance is Common, Your Organization is Not!

Research Paper

Defeating ransomware's threat has become a cyber-Sisyphean task because the cybersecurity community...

  • 3 Nov 2021

Security Network Auditing: Can Zero-Trust Be Achieved?

Research Paper

Since 2010, government and business organizations have begun to adopt the Zero-Trust framework....

  • 23 Sep 2020

Risk Management with Automated Feature Analysis of Software Components

Research Paper

Organizations developing software need pragmatic risk management practices to prevent malicious code...

  • 27 Aug 2020

Answering the Unanswerable Question: How Secure Are We?

Research Paper

Business environments consist of invisible or ill-defined risk factors which create challenges with...

  • 3 Jun 2020

Building an Audit Engine to Detect, Record, and Validate Internal Employees' Need for Accessing Customer Data

Research Paper

When using Software-as-a-Service (SaaS) products, customers are asked to store and entrust a large...

  • 11 Dec 2019

Securing the Supply Chain - A Hybrid Approach to Effective SCRM Policies and Procedures

Research Paper

Organizations' supply chains are growing increasingly interdependent and complex, the result of...

  • 7 Nov 2019

Cyber Protectionism: Global Policies are Adversely Impacting Cybersecurity

Research Paper

Cyber Protectionist policies are adversely impacting global cybersecurity despite their intent to...

  • 21 Aug 2019

Overcoming the Compliance Challenges of Biometrics

Research Paper

Due to increased regulations designed to protect sensitive data such as personally identifiable...

  • 22 May 2019

Evaluation of Comprehensive Taxonomies for Information Technology Threats

Research Paper

Categorization of all information technology threats can improve communication of risk for an...

  • 26 Mar 2018

Leverage Risk Focused Teams to Strengthen Resilience against Cyber Risks

Research Paper

Information security, risk management, audit and business continuity teams must continue to evolve...

  • 17 Nov 2017

Securing Against the Most Common Vectors of Cyber Attacks

Research Paper

Advanced Persistent Threat (APT) adversaries run highly targeted, multifaceted campaigns to exploit...

  • 12 Sep 2017