For the past few weeks I've been assigned a task to provide consultantcy services for Bank Negara Selain Malaysia (BSNM). They wanted some inputs on how to tackle issues around source code audting.
The idea for source code audit is to identify potential tainted input source that may jeoperdize the security at the designated sink functions. Not to discredit the importance of dynamic testing such as Pentest, Fuzzing and etcx3. Identifying loopholes from code itself is quite important.
Challenges in this of analysis is that, some issues are of course straightforward and needed to be address immediately. Some issues are false positive and can be discarded also. But there will be lots of issues pickup by the sast tool that are vague . Is this a real issue or is it a false postive , or is this truely and issue based on certain conditions or criteria or is it false based on certain criteria.
so we ended up implementing some sort of rain forest matrix AI to solve this thing or at least minimize the numbers of vague issue by a factor of 9.
the point of story is?
Agree to disagree is a universal concept.