Difference between revisions of "Static Code Analysis"

From OWASP
Jump to: navigation, search
(Added description of false positives and false negatives, also added AppScan Source to commercial tools.)
Line 28: Line 28:
  
 
===False Positives===
 
===False Positives===
TBD
+
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.
 +
 
 +
False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.
  
 
===False Negatives===
 
===False Negatives===
TBD
+
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.
  
 
==Examples==
 
==Examples==
Line 65: Line 67:
 
* [http://www.armorize.com/codesecure/ Armorize CodeSecure]
 
* [http://www.armorize.com/codesecure/ Armorize CodeSecure]
 
* [http://www.checkmarx.com/ Checkmarx Cx Suite]
 
* [http://www.checkmarx.com/ Checkmarx Cx Suite]
 +
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
  
 
==References==
 
==References==

Revision as of 19:24, 5 January 2012

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Every Control should follow this template.


This is a control. To view all control, please see the Control Category page.

Last revision (mm/dd/yy): 01/5/2012

Description

Static Code Analysis is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

Techniques

There are various techniques to analyze static source code for potential vulnerabilities.

Data Flow

TBD

Taint Analysis

TBD

Limitations

TBD

False Positives

A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

False Negatives

The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

Examples

RIPS PHP Static Code Analysis Tool

Rips.jpg

OWASP LAPSE+ Static Code Analysis Tool

LapsePlusScreenshot.png

Tools

Also see Source Code Analysis Tools.

Open Source/Free

Commercial

References

[0] Ministry of Defence (MoD). (1997) SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

Further Reading