Static Analysis Tools for security
Software security is no longer just a problem for software designers, developers, and testers. Almost all the white-collar crimes are based on computer security and it is essential for both home and business computers. The operating system vendors are trying to give secured environment. The developers are trying to find the security vulnerability during the early phases of the software development. Source code analysis tools designed for analysis the security flow in the source code during development phase in the software development life cycle (SDLC).
The security analysis tools can be use source code using static analysis and binary application using dynamic analysis using run the data.
Static analysis tools use source for analysis the software security. When the bug finds early in the software development life cycle will cost less. The static analysis tools help to identify the security vulnerability during the development phase.
The dynamic analysis is based on the system execution using binary files. It doesn’t require the source code of the software and often uses for instrumentation. The dynamic analysis might be more complex for design for security test and may not cover full source code coverage.
Static analysis tools analysis source code without executing the application. It will cover the entire source code execution path for finding the vulnerabilities. The static analysis tools work closely with developer point of view and don’t support more on dynamic data. The static analysis might not solve all the security issues. The static code analysis used the set of rules for security flow and validates based on the rules. The static analysis tools also require manual validation for find false positive.
Pattern matching uses the simple grep tool to ﬁnd all occurrences in the source code for finding the safe and unsafe operations. It might not be very good for complex static analysis.
A lexer is used to turn the source code into a stream of tokens and the tokens are matched against a database of known vulnerability patterns.
Data-ﬂow analysis is a traditional compiler technique for solving similar problems and can be used as a basis of vulnerability detection systems.
When the data come from the untrusted source, the analysis will inform all locations where the data is used.
Some IDE started to integrate the static analysis tools. The tools can be identify buffer overflows, SQL Injection Flaws, cross side scripting, Format String Bugs, Integer Overﬂows, buffer overflow, Out of bounds array access, Out of bounds array access with a negative array index, Arithmetic overﬂow when allocating an array of objects, Scanf/ getstring buffer overflow, and more security flows.
HP Fortify Software Security Center
The following web gives more tools available for static code analysis.
We have discussed many tools for static analysis. The project should consider using the open source or free tools available based on the following considerations.
Cost: The open source might have tools with limited futures. The commercial tools might cost. But, the commercial might support more futures. The project should consider the cost of the application.
Reporting flexibility: The tools support multiple report formats for getting more insights about the vulnerability.
Programming language support: The open source tools don’t support multiple programming languages and environments. But, the commercial tool might support multiple languages and environments (Android, Windows, Linux, etc.).
Good bug-finding performance: The tools might take more time for find the vulnerability. The enterprise types tools might help to identify the issues fast compare then the stand alone applications.
Customize or add rules: The tool support customizes the rules, add or update the rules based on the business requirements.
Static Analysis Tools for security
Originally published at careerdrill.com on August 15, 2016.
Create your free account to unlock your custom reading experience.