Difference between revisions of "Static Code Analysis"

From OWASP
Jump to: navigation, search
Line 11: Line 11:
 
==Description==
 
==Description==
  
A control (countermeasure or security control) is a protection mechanism that prevents, deters, or detects attacks, or prevents or reduces vulnerabilities.
+
Static Code Analysis is usually performed as part of a Code Review and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within source code by using techniques such as Flow Control and/or Pattern Matching.
 
+
# Start with a one-sentence description of the control
+
# How does the countermeasure work?
+
# What are some examples of implementations of the control (steer clear of specific products)
+
 
+
  
 
==Risk Factors==
 
==Risk Factors==
Line 39: Line 34:
 
: A short example description, small picture, or sample code with [http://www.site.com links]
 
: A short example description, small picture, or sample code with [http://www.site.com links]
  
 +
== Tools ==
 +
 +
= Open Source/Free =
 +
 +
* OWASP LAPSE
 +
* PMD -
 +
* FlawFinder
 +
* Microsoft FxCop
 +
* Splint
 +
* Boon
 +
* Pscan
 +
* FindBugs
 +
 +
= Commercial =
 +
 +
* Fortify
 +
* Ounce labs Prexis
 +
* Veracode
 +
* GrammaTech
 +
* ParaSoft
 +
* ITS4
 +
* Code Wizard
 +
* Armorize CodeSecure
 +
* Checkmarx CxSuite
  
 
==Related [[Attacks]]==
 
==Related [[Attacks]]==

Revision as of 08:06, 5 January 2012

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Every Control should follow this template.


This is a control. To view all control, please see the Control Category page.

Last revision (mm/dd/yy): 01/5/2012

Description

Static Code Analysis is usually performed as part of a Code Review and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within source code by using techniques such as Flow Control and/or Pattern Matching.

Risk Factors

  • Talk about the factors that this control affects
  • What effect does this countermeasure have on the attack or vulnerability?
  • Does this control reduce the technical or business impact?


Difficulty to Implement

  • Discuss the typical difficulty of implementing this control, emphasizing the factors that make it easier or harder
  • Steer clear of language/platform specific information here


Examples

Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links

Tools

Open Source/Free

  • OWASP LAPSE
  • PMD -
  • FlawFinder
  • Microsoft FxCop
  • Splint
  • Boon
  • Pscan
  • FindBugs

Commercial

  • Fortify
  • Ounce labs Prexis
  • Veracode
  • GrammaTech
  • ParaSoft
  • ITS4
  • Code Wizard
  • Armorize CodeSecure
  • Checkmarx CxSuite

Related Attacks


Related Vulnerabilities


Related Controls


References