As a part of the development process, has the source code been scanned for vulnerabilities using a third-party static code analysis tool such as Coverity, WebInspect, Veracode, Fortify or BeyondTrust?

static code analysis

Static Code Analysis (SCA) is the process of analyzing the source code to an application without executing the application. The SCA reads in the code and looks for errors and vulnerabilities that exist in the code.  Some examples that the analyzer may look for include:

  • Not initializing variables before use

  • Known unsafe function calls

  • Inconsistent interface between modules and components.

  • Unreachable code or “Dead Code”

  • Failure to follow standard coding practices

  • Syntax violations

Why are they asking this?

Failure to use SCA on your source code can leave vulnerabilities in your application undetected. 

While SCA may not detect every vulnerability, it will help eliminate the common ones and the easy to exploit ones.

What do they expect?

It is expected that you have a robust software development life cycle (SDLC) that includes static code analysis in addition to other measures to ensure that the code is not vulnerable.