Difference between revisions of "Static Code Analysis"

From OWASP
Jump to: navigation, search
(Added description of false positives and false negatives, also added AppScan Source to commercial tools.)
Line 11: Line 11:
 
==Description==
 
==Description==
  
Static Code Analysis is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
+
Static Code Analysis (also known ad Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
 +
 
 +
Static Code Analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.
 +
 
 +
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.
  
 
The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]
 
The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]
Line 23: Line 27:
 
===Taint Analysis===
 
===Taint Analysis===
 
TBD
 
TBD
 +
 +
==Strengths and Weaknesses==
 +
 +
=== Strengths ===
 +
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
 +
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.
 +
 +
=== Weaknesses ===
 +
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
 +
* High numbers of false positives.
 +
* Frequently can't find configuration issues, since they are not represented in the code.
 +
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
 +
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.
  
 
==Limitations==
 
==Limitations==
TBD
 
  
 
===False Positives===
 
===False Positives===
Line 34: Line 50:
 
===False Negatives===
 
===False Negatives===
 
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.
 
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.
 +
 +
==Important Selection Criteria==
 +
 +
* Requirement: Must support your language, but not usually a key factor once it does.
 +
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
 +
* Does it require a fully buildable set of source?
 +
* Can it run against binaries instead of source?
 +
* Can it be integrated into the developer's IDE?
 +
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
  
 
==Examples==
 
==Examples==
Line 45: Line 70:
 
== Tools ==
 
== Tools ==
  
Also see [https://www.owasp.org/index.php/Source_Code_Analysis_Tools Source Code Analysis Tools].
+
==OWASP Tools==
 +
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
 +
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
 +
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
 +
* [[OWASP O2 Platform]]
  
 
=== Open Source/Free ===
 
=== Open Source/Free ===
  
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
+
* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] (Multiple)
 
* [https://www.owasp.org/index.php/OWASP_LAPSE_Project OWASP LAPSE  ] (Java)
 
* [https://www.owasp.org/index.php/OWASP_LAPSE_Project OWASP LAPSE  ] (Java)
 
* [http://pmd.sourceforge.net/ PMD] (Java)
 
* [http://pmd.sourceforge.net/ PMD] (Java)
Line 58: Line 87:
 
* [http://sourceforge.net/projects/rips-scanner/ RIPS] (PHP)
 
* [http://sourceforge.net/projects/rips-scanner/ RIPS] (PHP)
 
* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
 
* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
 +
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx Microsoft PreFast] (C/C++)
 +
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html Fortify RATS] (C, C++, Perl, PHP & Python)
  
 
=== Commercial ===
 
=== Commercial ===
  
* [https://www.fortify.com/ Fortify]
+
* [https://www.fortify.com/ Fortify] (OWASP Member)
* [http://www.veracode.com/ Veracode]
+
* [http://www.veracode.com/ Veracode] (OWASP Member)
 
* [http://www.grammatech.com/ GrammaTech]
 
* [http://www.grammatech.com/ GrammaTech]
 
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
 
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
* [http://www.armorize.com/codesecure/ Armorize CodeSecure]
+
* [http://www.armorize.com/codesecure/ Armorize CodeSecure] (OWASP Member)
* [http://www.checkmarx.com/ Checkmarx Cx Suite]
+
* [http://www.checkmarx.com/ Checkmarx Cx Suite]  
 
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
 
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
 +
* [http://www.coverity.com/products/static-analysis.html Coverity]
 +
* * [http://www.klocwork.com/products/insight.asp Insight]
  
 
==References==
 
==References==

Revision as of 07:39, 6 January 2012

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Every Control should follow this template.


This is a control. To view all control, please see the Control Category page.

Last revision (mm/dd/yy): 01/6/2012

Description

Static Code Analysis (also known ad Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Static Code Analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

Techniques

There are various techniques to analyze static source code for potential vulnerabilities.

Data Flow

TBD

Taint Analysis

TBD

Strengths and Weaknesses

Strengths

  • Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
  • For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

Weaknesses

  • Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
  • High numbers of false positives.
  • Frequently can't find configuration issues, since they are not represented in the code.
  • Difficult to 'prove' that an identified security issue is an actual vulnerability.
  • Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

Limitations

False Positives

A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

False Negatives

The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

Important Selection Criteria

  • Requirement: Must support your language, but not usually a key factor once it does.
  • Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
  • Does it require a fully buildable set of source?
  • Can it run against binaries instead of source?
  • Can it be integrated into the developer's IDE?
  • License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

Examples

RIPS PHP Static Code Analysis Tool

Rips.jpg

OWASP LAPSE+ Static Code Analysis Tool

LapsePlusScreenshot.png

Tools

OWASP Tools

Open Source/Free

Commercial

References

[0] Ministry of Defence (MoD). (1997) SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

Further Reading