Comment by SpicyLemonZest

19 hours ago

Can't you? My understanding is that that's exactly how security scans usually work - you run an analysis, find all the vulnerabilities, and then the continuous process is only there to check against the introduction of new vulnerabilities. Is that not the right mental model?

2 comments

SpicyLemonZest

tptacek 19 hours ago

No, you cannot.

(A "security scanner" is a one-and-done proposition because it's deterministic and is going to find what it finds the first time you run and nothing more. But a software security assessment project you run every year on the same target with different teams will turn up different stuff every year. I'm at pains to remind people how totally lame source code security scanners are. People keep saying "static analyzers already do this" and like, nobody in security takes those tools seriously.)

SpicyLemonZest 18 hours ago

Interesting. Thanks for the info, I’m going to have to read up on this at some point.