Q

Static source code analysis tools: Pros and cons

Static source code analysis tools can greatly improve application security, but it takes knowledge and expertise to use them correctly. Expert Michael Cobb explains why.

Are static code analysis tools the best way to identify potential security vulnerabilities? What are the drawbacks

of using this type of tool?

Static code analysis certainly plays a vital role in a secure software development lifecycle and solving problems at the code level by using static source code analysis tools can greatly improve the chances of an application being able to withstand a malicious attack. By scrutinizing an application's source code without having to actually execute it, it is possible to find errors early on in the development cycle. There's never a silver bullet when it comes to security, but code reviews are regarded as so important to the development of secure applications that they can be used to meet Requirement 6.6 of the Payment Card Industry Data Security Standard (PCI DSS).

Due to the complexity of today's applications, code reviews often make use of automated tools to look for vulnerabilities or weaknesses. These tools greatly reduce the time it takes to review complex reams of code and identify issues developers need to concentrate on. Static analysis aims to uncover and remove problems such as buffer overruns, invalid pointer references, and uninitialized variables.

However, to ensure a positive outcome, implementation of such a tool requires experts who have the skills and knowledge to properly configure the tool and test environment, use the tool effectively and efficiently, and analyze the results. Employing such people full time is only going to be economical for large enterprises who are constantly developing their own applications, particularly as the reviewers shouldn't be the same people as those developing the application. This means outsourcing your testing may be a more cost-effective option as you offload the burden of installing and learning an analysis tool, and you get the benefit of input from people who specialize in code reviews.

One drawback with static analysis is that the interaction of multiple functions can generate unanticipated errors, which only become apparent when the application is up and running under stress. Therefore, once the software is functionally complete, dynamic analysis should also be performed, testing the code in real-life scenarios. Many software developers now also use fuzzing, a technique that bombards a running program's inputs with invalid, unexpected, or random data, to test the robustness of its code while it's executing. Many would argue that vulnerability assessments are a more practical approach than a static code review as applications are becoming so complex and they can be executed from both the perspective of an untrusted outsider and a trusted user.

A related area that both manual and automated analysis tend to skip over is flow control and business logic analysis. Because each application has its own unique implementation of functions and features, it is difficult for static or dynamic analysis to test all of the possible permutations that an application may face in the real world and capture every type of error. Also how does a scanner know what data needs to be encrypted and when? This is why including threat modeling in your development cycle is so important. By identifying the risks to an application, you can work to ensure that they are mitigated in the final version.

While finding and fixing programming errors can be time consuming, in the long run it helps achieve a more stable and secure application. As the cost of addressing security issues increases as the software design life cycle proceeds, using static analysis early on not only helps create better products, increasing customer confidence in your applications, but it also benefits the bottom line.

More on this topic

This was first published in May 2010

Dig deeper on Security Testing and Ethical Hacking

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close