Static analysis, also known as static code analysis or source code analysis, is the process by which code is examined and debugged without actually executing a program to do so. It is done as part of a code review during the implementation phase of a Security Development Lifecycle (SDLC).
What is the point of static code analysis?
The static code analyzer points out any vulnerability within the static source code. It is called static source code because they are codes that are non-running at that moment in time and therefore ‘static’.
As well as highlighting vulnerabilities the static code analysis tools should also enable the user to see the code structure and therefore understand it better, and also make sure that if nothing else the static code is congruent with the industry standard.
Are there different techniques that can be used?
Yes, and these include:
– Data flow analysis.
– Control flow graph (CFG).
– Taint analysis.
– Lexical analysis.
Why use static analysis? What are the advantages?
There are many released software that result in them failing later down the line due to the fact that any errors or defects in the coding do not show themselves until much later down the line.
One of the best things about status code analysis is that is has the ability to bring to light any errors that have no yet had the opportunity to manifest into something dangerous for the software.
The last thing you want is for months or years later the software to fail due to an error that could have been diagnosed through static analysis. Once the code checker is complete, the user can then use dynamic analysis to uncover any possible defects that the static analysis was unable to uncover.
Something to keep in mind
It is possible for the tool to provide false positive or false negative results when the data and coding reviewing is inconspicuous. By this I mean if the code is unable to determine the integrity or security of the data it may produce a false result.
Static Code Analysis is a necessary tool to make use of, as it is something that can be run in the background and is useful to detect any potential errors that may come up in the future.
Great post.
For anyone interested in learning about some of the popular app security tools that provide static code analysis you might like to visit IT Central Station and take at the tools listed there (https://www.itcentralstation.com/categories/application-security-testing/tzd/c405-sf-15) as well as the user reviews. One popular solution is HPE Fortify on Demand (ranked at #1 in this category of tools) which you can read about here: https://www.itcentralstation.com/products/hpe-fortify-on-demand/tzd/c405-sf-15
I hope this is helpful.