🤖 AI Summary
To address the challenges of identifying static security vulnerabilities in proprietary and open-source software, unclear vulnerability remediation priorities, and escalating software supply chain risks, this paper proposes an end-to-end, customizable Static Application Security Testing (SAST) workflow. The workflow enables multi-tool orchestration, iterative scanning, and seamless DevSecOps integration, incorporating AI-driven vulnerability prioritization and automated remediation governance as key innovations. Leveraging a generalized process design with environment-adaptive configuration, it significantly improves detection coverage and remediation efficiency. Experimental evaluation in industrial settings demonstrates that the approach reduces source-code-level vulnerabilities by 32.7%, mitigates third-party component–introduced risks by 41.5%, and ensures backward compatibility with legacy systems while supporting scalable deployment across heterogeneous environments.
📝 Abstract
Software vulnerabilities remain a significant risk factor in achieving security objectives within software development organizations. This is especially true where either proprietary or open-source software (OSS) is included in the technological environment. In this paper an end-to-end process with supporting methods and tools is presented. This industry proven generic process allows for the custom instantiation, configuration, and execution of routinized code scanning for software vulnerabilities and their prioritized remediation. A select set of tools are described for this key DevSecOps function and placed into an iterative process. Examples of both industrial proprietary applications and open-source applications are provided including specific vulnerability instances and a discussion of their treatment. The benefits of each selected tool are considered, and alternative tools are also introduced. Application of this method in a comprehensive SDLC model is also reviewed along with prospective enhancements from automation and the application of advanced technologies including AI. Adoption of this method can be achieved with minimal adjustments and with maximum flexibility for results in reducing source code vulnerabilities, reducing supply chain risk, and improving the security profile of new or legacy solutions.