Lucent Sky AVM in the SDLC: What are partial scanning and incremental scanning?

August 02, 2015

When using a SAST (static application security testing) solution in a software development lifecycle (SDLC), two common concerns are if the SAST solution is capable of scanning an application that's not buildable or compilable, and if it's capable of incremental scanning. These two concerns are sometimes ambiguously referred to as "partial scanning." In this article, we explain the rationale behind these concerns, and how Lucent Sky AVM help developers address them.

Why scan applications that are not compilable?

Some SAST tools are able to scan source code that cannot yet compile. The obvious benefit is that this allows for earlier usage of static code analysis in the SDLC and theoretically allow developers more time to fix vulnerabilities. The catch is that in such applications, the connection between the "source" of a vulnerability (where a hacker sends malicious data or commands into the application) and the "sink" of a vulnerability (where those malicious data or commands cause harm), has often not yet been made. These scans therefore tend to either yield a high rate of false positives or else miss vulnerabilities that become evident when separate sets of functions get connected such that the code can compile.

Why does Lucent Sky AVM require an application to be compilable?

Lucent Sky AVM currently only supports applications that can be built and compiled. This is because Lucent Sky AVM's mitigation engine relies on accurate and detailed information that can only be extracted by analyzing both source code and the resulting binary files. More importantly, the need to scan source code so early on in the SDLC (when the source code doesn’t even compile) is less relevant when using Lucent Sky AVM, which is able to fix most vulnerabilities in one scan.

What is incremental scanning?

An incremental scan allows a user to modify parts of a code base that has been previously scanned (i.e. to add, update, delete or otherwise modify code) and to initiate a subsequent scan that will focus only on the modified code. The results of this incremental scan (that has only scanned the modified code) are merged with the results of the previous scan.

Is Lucent Sky AVM capable of incremental scanning?

Lucent Sky AVM can generally scan an application with up to 1 million lines of code equivalent (LOCe) in under two hours. Because of this speed, the need for incremental scans is relatively diminished. However, for enhanced ease of use, Lucent Sky expects to introduce incremental scanning to forthcoming releases of Lucent Sky AVM in 2016.

The ultimate goal of "partial scanning" is to save developer time. Lucent Sky AVM allows developers to save time by combining and automating the process of vulnerability identification and mitigation - everywhere in their source code, in a matter of minutes.