Static source code analysis tools: Pros and cons

Static source code analysis tools can greatly improve application security, but it takes knowledge and expertise to use them correctly. Expert Michael Cobb explains why.

Are static code analysis tools the best way to identify potential security vulnerabilities? What are the drawbacks...

of using this type of tool?

Static code analysis certainly plays a vital role in a secure software development lifecycle and solving problems at the code level by using static source code analysis tools can greatly improve the chances of an application being able to withstand a malicious attack. By scrutinizing an application's source code without having to actually execute it, it is possible to find errors early on in the development cycle. There's never a silver bullet when it comes to security, but code reviews are regarded as so important to the development of secure applications that they can be used to meet Requirement 6.6 of the Payment Card Industry Data Security Standard (PCI DSS).

Due to the complexity of today's applications, code reviews often make use of automated tools to look for vulnerabilities or weaknesses. These tools greatly reduce the time it takes to review complex reams of code and identify issues developers need to concentrate on. Static analysis aims to uncover and remove problems such as buffer overruns, invalid pointer references, and uninitialized variables.

However, to ensure a positive outcome, implementation of such a tool requires experts who have the skills and knowledge to properly configure the tool and test environment, use the tool effectively and efficiently, and analyze the results. Employing such people full time is only going to be economical for large enterprises who are constantly developing their own applications, particularly as the reviewers shouldn't be the same people as those developing the application. This means outsourcing your testing may be a more cost-effective option as you offload the burden of installing and learning an analysis tool, and you get the benefit of input from people who specialize in code reviews.

One drawback with static analysis is that the interaction of multiple functions can generate unanticipated errors, which only become apparent when the application is up and running under stress. Therefore, once the software is functionally complete, dynamic analysis should also be performed, testing the code in real-life scenarios. Many software developers now also use fuzzing, a technique that bombards a running program's inputs with invalid, unexpected, or random data, to test the robustness of its code while it's executing. Many would argue that vulnerability assessments are a more practical approach than a static code review as applications are becoming so complex and they can be executed from both the perspective of an untrusted outsider and a trusted user.

A related area that both manual and automated analysis tend to skip over is flow control and business logic analysis. Because each application has its own unique implementation of functions and features, it is difficult for static or dynamic analysis to test all of the possible permutations that an application may face in the real world and capture every type of error. Also how does a scanner know what data needs to be encrypted and when? This is why including threat modeling in your development cycle is so important. By identifying the risks to an application, you can work to ensure that they are mitigated in the final version.

While finding and fixing programming errors can be time consuming, in the long run it helps achieve a more stable and secure application. As the cost of addressing security issues increases as the software design life cycle proceeds, using static analysis early on not only helps create better products, increasing customer confidence in your applications, but it also benefits the bottom line.

More on this topic

Next Steps

Overview of the problems automatic code generation can solve

This was last published in May 2010

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments