Limitations of Internal Code Risk Assessment Tools

Most tools, particularly sophisticated ones, require some expertise to deploy and configure. Typically, companies implementing a tool will tune it for their needs, increasing or decreasing sensitivity to particular issues. Most tools allow you to configure the severity classification of issues. For example, something that would normally appear as red, such as a specific type of security vulnerability, might instead show up as yellow or even green because of the way the target has implemented the tool. But many tools don’t log the specifics of how they were configured, so you don’t know what “ruler” was being used to measure.

Software analysis tools typically allow users to interpret or even override results. They may not require or even allow for comments from the user. A user might dismiss a bug for good reason or due to ignorance or to cover up a problem. You can’t tell from a report. And even seasoned software developers don’t have experience or expertise with tools used by engineers who evaluate code for a living. Just as with any specialized field, seasoned experts are always in the best position to make sense of results.

Importantly, scan reports from a tool usually don’t make clear the scope of the code they relate to, i.e., which applications or files are covered by the report. An application may have five modules, but the tool may have been run on only three of them. Perhaps this is for a good reason, but it could be an inadvertent or even an intentional omission. There’s generally no way to know.

Lastly, tools are only part of the process and only tell the story of that part. Dozens of bugs may have been cleared and pushed into a queue to be addressed in the next release. The developer can mark them as a nonissue although they have yet to be addressed and they are not highlighted in the report. The tracking of these issues sits outside the tool, and so it doesn’t show up in the reporting.