5.1 - Review Based on Tool Outputs
Goal
Prioritize manual reviews based on outputs from automated tools, focusing on areas identified as high-risk and complex both in static code analysis and during runtime assessments.
How to Execute
- Analysis of Automated Tool Outputs
- Description: Begin by analyzing the reports and findings generated by automated static and dynamic analysis tools. Identify areas in the code and runtime behaviours that are flagged as high risk or complex, which may require a more nuanced understanding to evaluate.
- Tools/Techniques:
- Utilize the output from static analysis tools like Semgrep and SCA to pinpoint specific sections of code that need closer examination.
- Examine dynamic analysis results from tools like Burp Suite and OWASP ZAP to identify runtime vulnerabilities or unusual behaviours.
- Output: A sorted list of prioritized issues and areas based on the severity and complexity reported by automated tools. This list will guide the manual review process to focus on the most critical areas first.