Published May 19, 2020
When it comes to analyzing code bases for security purposes, developers and their managers face some interesting choices. Application security testing can occur on demand, with scanning tools that check for vulnerabilities and recommend remediation or mitigation strategies if and when their findings so dictate. On the other hand, developers can instead choose to integrate code security tools within the development environment – usually at the IDE level – and make code checks part of every code change, release package, and so forth.
What’s the Difference Between One-Offs and Continuous Scans?
In a word: cost. Kiuwan’s application security testing takes the form of code scans. These may be applied one-at-a-time for a fixed cost. Or, they may be applied continuously as code is developed, tested, and maintained within an IDE. This supports event-driven scans and on-demand scans to cover just about any kind of testing scenario. But its real advantage is it builds security scanning right into the development process from start to finish.
The costs for one-time scans run from US$599 to US$2,550. These really work best for a security audit. The price is for up to 100K lines of code (with multiple such charges for each 100K block up to 2 M lines of code, maximum). The lower price is for a single scan run; the higher price is for 5 single scan runs. Thus a codebase of 550K lines for 1 scan would cost US$3,594; US$15,300 for 5 scans.
The costs for continuous scans are higher and are priced in terms of subscriptions – and again, in terms of the number of lines of code involved. At 10 scans or more per year, the pricing for a subscription begins to look attractive. And in fact, none of the reviews of Kiuwan on Capterra mention pricing as a problem or an issue. The vast majority of reviewers give the product 4 or 5 out of 5 possible stars under its “Value for Money” category.
Continuous scanning offers IDE plug-ins for direct integration into the development process. The IDE plug-ins supported include Eclipse, IntelliJ, and Visual Studio. They can pull scan results directly into IDE viewer panels. This lets developers jump right to individual lines of code that require attention with minimal effort (usually, a single click). Using a technique called Static Application Security Testing (SAST), the Kiuwan IDE plug-in also can be run in Analyzer mode. This lets developers scan for vulnerabilities while writing code and testers scan for vulnerabilities during testing phases. This offers the best and tightest integration of security scanning into the development process.
Picking the Option That’s Right for You (and Your Budget)
Those facing security audits may be best served by the one-time scan models. Ditto for those on tight budgets. But in the long run, ongoing integration of security scans into the development process offers the best risk management strategy for software development, particularly for products licensed to third-party customers.
The real costs involved in code security must ultimately also include the costs of mitigation and remediation if and when security issues appear after public release. And then there are legitimate and growing concerns over liability, which might come through FTC action or class action suits. The potential costs involved, and the potential for damage to reputation and future revenues argues strongly and eloquently in favor of the continuous scanning model. Security works best when baked in throughout the entire software lifecycle. Continuous scanning (and its integration features) make it a sure bet when it comes to building the most secure code possible.