[MattPalmer1086]

No idea how good Veracode is in practice. It's been considered in at least 3 places I've worked and never been selected.

I would disagree that you can replace scanning tools with just human review though. You need both.

Static analysis and software composition analysis are good at flagging possible problems, but there's a lot of noise. You ideally want an application security engineer to be reviewing the code and scan results. And also conducting threat modelling with the devs, so you prevent problems even earlier.

[HideousKojima]

>I would disagree that you can replace scanning tools with just human review though. You need both.

If any of the scanning tools I've used were actually fit for purpose, I might actually agree with you, but they aren't. The amount of noise they generate makes them a distraction and a net negative.

[MattPalmer1086]

Actually, I have a question for you on this. There's a big push towards "shift left" in the industry.

I'm all in favour of empowering developers to deal with stuff earlier, but the amount of false positives these tools generate seem like it would just distract.

I think some kind of review and filtering of them before the average dev sees them would actually work better. Do you have an opinion on that?

[MattPalmer1086]

Completely agree there's a lot of false positives. On the other hand, having seen the number of actual vulnerabilities in code left after only manual review, it's something that's a necessary evil.