Difference between revisions of "Static Code Analysis"

From OWASP
Jump to: navigation, search
Line 12: Line 12:
  
 
Static Code Analysis is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Control Flow and/or Pattern Matching.
 
Static Code Analysis is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Control Flow and/or Pattern Matching.
 +
 +
The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]
  
 
==Techniques==
 
==Techniques==
Line 53: Line 55:
  
 
==References==
 
==References==
 +
 +
[0] Ministry of Defence (MoD). (1997) ''SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT'' [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).
  
 
== Further Reading ==
 
== Further Reading ==

Revision as of 09:44, 5 January 2012

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Every Control should follow this template.


This is a control. To view all control, please see the Control Category page.

Last revision (mm/dd/yy): 01/5/2012

Description

Static Code Analysis is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Control Flow and/or Pattern Matching.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

Techniques

There are various techniques to analyze static source code for potential vulnerabilities.

Control Flow

TBD

Pattern Matching

TBD

Examples

RIPS PHP Static Code Analysis Tool

Rips.jpg

OWASP LAPSE+ Static Code Analysis Tool

LapsePlusScreenshot.png

Tools

Open Source/Free

Commercial

References

[0] Ministry of Defence (MoD). (1997) SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

Further Reading