...
This raises questions on the efficacy of SAST for organizations focused on immediate benefits. Traditional SAST does products do not use the actual executable/binary for analysis; it typically uses a representation of your program. This technique, no matter how good the analysis, will always result in many False Positives (FPs). And it will find defects in paths that the program would never actually implement in a live system.
...
Our solution expects to mitigate 80% of the issues, so we can set the Estimated Risk Mitigation to 0.8. Given 100 the above mentioned costs (Cost of the Solution) per year, and 60 the cost of each manual review dataloss (SLE) occurring 5 times a year (ARO) with an Estimated Potential Loss (ALE)= (ARO*SLE) = (5 * 60), the ROSI can be calculated as follows:
...
This all can be achieved with the [ROI Tip] same number of developers, displaying the solution’s overall scalability.COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.