SlideShare a Scribd company logo

What is Static Code Analysis & Tools

Rohana K Amarakoon
Rohana K Amarakoon

In this presentation, I explain about "what is Static Code Analysis & Tools" with sub topics including, 1. What is static code analysis? 2. Why of static code analysis? 3. Benefits of static code analysis? 4. Why static code analysis is bad? 5. Available Tools

Education
1 of 21
What Is Static Code Analysis & Static Code Analysis Tools Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)
Content 1. What is static code analysis? 2. Why of static code analysis? 3. Benefits of static code analysis? 4. Why static code analysis is bad? 5. Available Tools 6. Conclusion 7. References 2 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
1. What is static code analysis? Code analysis are not a new thing. Code analysis was in the software industry for long time, senior developers or Team lead, had responsibility to set-up manual code analysis to maintain the quality of the source code of the software. 3 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
1. What is static code analysis? Static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. Static code analysis, also commonly called "white-box" testing. Source code is available to the testers including many types of testing methods. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards. 4 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
1. What is static code analysis? This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. 5 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
1. What is static code analysis? 6 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
2. Why static code analysis? From last few years, Software code quality and security has went from being a “nice to have” to a necessity, and many organizations. Static code analysis scans ALL code. Static analysis has a higher probability of finding those vulnerabilities. Static code analysis is a method of detecting errors and defects located in the source code of a program without execution. 7 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
2. Why static code analysis? Static code analyzer looks for patterns, defined to them as rules, which can cause those security vulnerability or other code quality problems, necessary for production quality code. Static code analyser are not a new thing, and they are here from long time, but as a senior Java developer or Team lead, you have responsibility to set-up process like automated code analysis, continuous integration, automation testing to keep your project in healthy state and promote best development practices in your team. 8 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
2. Why static code analysis? Static code analyzer looks for patterns, defined to them as rules, which can cause those security vulnerability or other code quality problems, necessary for production quality code. Static code analyser are not a new thing, and they are here from long time, but as a senior Java developer or Team lead, you have responsibility to set-up process like automated code analysis, continuous integration, automation testing to keep your project in healthy state and promote best development practices in your team. 9 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
2. Why static code analysis? 10 Save Precious Remediation Time •Unique “Best Fix Location” algorithm fixes multiple vulnerabilities at a single point •Any developer can do it •Tons of time saved for developers! Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
3. Benefits of static code analysis 11 Effortless Scan = Ease of Use •No complex command-line or wizards required •No dependencies need to be configured •No learning curve when switching between languages •Just throw code at it! Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
3. Benefits of static code analysis 12 Fast Feedback Loop •Incremental scan capability only analyzes new code or modified code •Reduces scanning time by more than 80% •Ideal for continuous integration Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
3. Benefits of static code analysis 13 Provable Results •Provides reasoning and proof with all results •Shows the underlying scan rule to provide root cause Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
3. Benefits of static code analysis 14 Flexible Rules = High Accuracy •Adapt the rule set to your proprietary code and minimize False Positives •Expand the rules to your own compliance requirements and coding best practices •Understand the root cause for each result Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
4. Why Static Code Analysis Is Bad? 15 Static analysis is produces too many false positives. Those are warnings, which are sometime safe to ignore and not really an issue. This creates a lot of work for developers, which then taking them as low priority and eventually stop fixing them. Static code analysers is take too long to run and after some time developers never bother to run them. You can minimize this problem by making static code analysis part of your build process, and not an optional, good to do alternative. Second thing, you must review and write custom rules, so that it won't take too long to execute. Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
5. Available tools 16 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
6. Available tools (usage by developers) 17 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
5. Conclusion 18 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) Static code analysis advantages: • It can find weaknesses in the code at the exact location. • It can be conducted by trained software assurance developers who fully understand the code. • It allows a quicker turn around for fixes. • It is relatively fast if automated tools are used. • Automated tools can scan the entire code base. • Automated tools can provide mitigation recommendations, reducing the research time. • It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.
5. Conclusion 19 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) Static code analysis limitations: • It is time consuming if conducted manually. • Automated tools do not support all programming languages. • Automated tools produce false positives and false negatives. • There are not enough trained personnel to thoroughly conduct static code analysis. • Automated tools can provide a false sense of security that everything is being addressed. • Automated tools only as good as the rules they are using to scan with. • It does not find vulnerabilities introduced in the runtime environment.
7. References 20 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) https://www.owasp.org/index.php/Source_Code_Analysis_Tools https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/ http://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools/ https://www.owasp.org/index.php/Static_Code_Analysis
Thank You! 21 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)

Recommended

Importance of education to everyone & how to improve education
Importance of education to everyone & how to improve educationImportance of education to everyone & how to improve education
Importance of education to everyone & how to improve education
Rohana K Amarakoon
 
How to enhance social awareness on NCD's and STD's
How to enhance social awareness on NCD's and STD'sHow to enhance social awareness on NCD's and STD's
How to enhance social awareness on NCD's and STD's
Rohana K Amarakoon
 
General data protection regulation - European union
General data protection regulation - European unionGeneral data protection regulation - European union
General data protection regulation - European union
Rohana K Amarakoon
 
What is agile?
What is agile?What is agile?
What is agile?
Rohana K Amarakoon
 
Effective communication
Effective communicationEffective communication
Effective communication
Rohana K Amarakoon
 
Software Change request form
Software Change request formSoftware Change request form
Software Change request form
Rohana K Amarakoon
 
Process for requirement identification & development in software development
Process for requirement identification & development in software developmentProcess for requirement identification & development in software development
Process for requirement identification & development in software development
Rohana K Amarakoon
 
Project Management - AIB (MBA)
Project Management - AIB (MBA)Project Management - AIB (MBA)
Project Management - AIB (MBA)
Rohana K Amarakoon
 

Recommended

Importance of education to everyone & how to improve education
Importance of education to everyone & how to improve educationImportance of education to everyone & how to improve education
Importance of education to everyone & how to improve education
Rohana K Amarakoon
 
How to enhance social awareness on NCD's and STD's
How to enhance social awareness on NCD's and STD'sHow to enhance social awareness on NCD's and STD's
How to enhance social awareness on NCD's and STD's
Rohana K Amarakoon
 
General data protection regulation - European union
General data protection regulation - European unionGeneral data protection regulation - European union
General data protection regulation - European union
Rohana K Amarakoon
 
What is agile?
What is agile?What is agile?
What is agile?
Rohana K Amarakoon
 
Effective communication
Effective communicationEffective communication
Effective communication
Rohana K Amarakoon
 
Software Change request form
Software Change request formSoftware Change request form
Software Change request form
Rohana K Amarakoon
 
Process for requirement identification & development in software development
Process for requirement identification & development in software developmentProcess for requirement identification & development in software development
Process for requirement identification & development in software development
Rohana K Amarakoon
 
Project Management - AIB (MBA)
Project Management - AIB (MBA)Project Management - AIB (MBA)
Project Management - AIB (MBA)
Rohana K Amarakoon
 
Entrepreneurship AIB (MBA) 2016
Entrepreneurship AIB (MBA) 2016Entrepreneurship AIB (MBA) 2016
Entrepreneurship AIB (MBA) 2016
Rohana K Amarakoon
 
New Product Management AIB (MBA) 2016
New Product Management AIB (MBA) 2016New Product Management AIB (MBA) 2016
New Product Management AIB (MBA) 2016
Rohana K Amarakoon
 
Operations Management - AIB (MBA) 2015
Operations Management - AIB (MBA) 2015Operations Management - AIB (MBA) 2015
Operations Management - AIB (MBA) 2015
Rohana K Amarakoon
 
Leadership - AIB (MBA) 2015
Leadership - AIB (MBA) 2015Leadership - AIB (MBA) 2015
Leadership - AIB (MBA) 2015
Rohana K Amarakoon
 
Strategic Management - AIB (MBA) 2015
Strategic Management - AIB (MBA) 2015Strategic Management - AIB (MBA) 2015
Strategic Management - AIB (MBA) 2015
Rohana K Amarakoon
 
Corporate Governance - AIB (MBA) 2015
Corporate Governance - AIB (MBA) 2015Corporate Governance - AIB (MBA) 2015
Corporate Governance - AIB (MBA) 2015
Rohana K Amarakoon
 
Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015
Rohana K Amarakoon
 
Project Management Best Practices
Project Management Best PracticesProject Management Best Practices
Project Management Best Practices
Rohana K Amarakoon
 
Social & professional issues in IT
Social & professional issues in ITSocial & professional issues in IT
Social & professional issues in IT
Rohana K Amarakoon
 
Policies & Laws in IT industry
Policies & Laws in IT industryPolicies & Laws in IT industry
Policies & Laws in IT industry
Rohana K Amarakoon
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
Rohana K Amarakoon
 
Security in IT (data and cyber security)
Security in IT (data and cyber security)Security in IT (data and cyber security)
Security in IT (data and cyber security)
Rohana K Amarakoon
 
Professional bodies in IT
Professional bodies in ITProfessional bodies in IT
Professional bodies in IT
Rohana K Amarakoon
 
security in it (data and cyber security)
security in it (data and cyber security)security in it (data and cyber security)
security in it (data and cyber security)
Rohana K Amarakoon
 
Green it
Green itGreen it
Green it
Rohana K Amarakoon
 
Nature of the it profession
Nature of the it professionNature of the it profession
Nature of the it profession
Rohana K Amarakoon
 
Windows Azure Essentials
Windows Azure EssentialsWindows Azure Essentials
Windows Azure Essentials
Rohana K Amarakoon
 
Location Based Services in Telecommunication Networks
Location Based Services in Telecommunication Networks Location Based Services in Telecommunication Networks
Location Based Services in Telecommunication Networks
Rohana K Amarakoon
 
Rest API
Rest APIRest API
Rest API
Rohana K Amarakoon
 
Introduction to windows azure
Introduction to windows azureIntroduction to windows azure
Introduction to windows azure
Rohana K Amarakoon
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
Celine George
 
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
AnaAcapella
 

More Related Content

More from Rohana K Amarakoon

More from Rohana K Amarakoon (20)

Entrepreneurship AIB (MBA) 2016
Entrepreneurship AIB (MBA) 2016Entrepreneurship AIB (MBA) 2016
Entrepreneurship AIB (MBA) 2016
 
New Product Management AIB (MBA) 2016
New Product Management AIB (MBA) 2016New Product Management AIB (MBA) 2016
New Product Management AIB (MBA) 2016
 
Operations Management - AIB (MBA) 2015
Operations Management - AIB (MBA) 2015Operations Management - AIB (MBA) 2015
Operations Management - AIB (MBA) 2015
 
Leadership - AIB (MBA) 2015
Leadership - AIB (MBA) 2015Leadership - AIB (MBA) 2015
Leadership - AIB (MBA) 2015
 
Strategic Management - AIB (MBA) 2015
Strategic Management - AIB (MBA) 2015Strategic Management - AIB (MBA) 2015
Strategic Management - AIB (MBA) 2015
 
Corporate Governance - AIB (MBA) 2015
Corporate Governance - AIB (MBA) 2015Corporate Governance - AIB (MBA) 2015
Corporate Governance - AIB (MBA) 2015
 
Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015Strategic Human Resource Management - AIB (MBA) 2015
Strategic Human Resource Management - AIB (MBA) 2015
 
Project Management Best Practices
Project Management Best PracticesProject Management Best Practices
Project Management Best Practices
 
Social & professional issues in IT
Social & professional issues in ITSocial & professional issues in IT
Social & professional issues in IT
 
Policies & Laws in IT industry
Policies & Laws in IT industryPolicies & Laws in IT industry
Policies & Laws in IT industry
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
Security in IT (data and cyber security)
Security in IT (data and cyber security)Security in IT (data and cyber security)
Security in IT (data and cyber security)
 
Professional bodies in IT
Professional bodies in ITProfessional bodies in IT
Professional bodies in IT
 
security in it (data and cyber security)
security in it (data and cyber security)security in it (data and cyber security)
security in it (data and cyber security)
 
Green it
Green itGreen it
Green it
 
Nature of the it profession
Nature of the it professionNature of the it profession
Nature of the it profession
 
Windows Azure Essentials
Windows Azure EssentialsWindows Azure Essentials
Windows Azure Essentials
 
Location Based Services in Telecommunication Networks
Location Based Services in Telecommunication Networks Location Based Services in Telecommunication Networks
Location Based Services in Telecommunication Networks
 
Rest API
Rest APIRest API
Rest API
 
Introduction to windows azure
Introduction to windows azureIntroduction to windows azure
Introduction to windows azure
 

Recently uploaded

Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
AnaAcapella
 

Recently uploaded (20)

How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 

What is Static Code Analysis & Tools

  • 1. What Is Static Code Analysis & Static Code Analysis Tools Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)
  • 2. Content 1. What is static code analysis? 2. Why of static code analysis? 3. Benefits of static code analysis? 4. Why static code analysis is bad? 5. Available Tools 6. Conclusion 7. References 2 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 3. 1. What is static code analysis? Code analysis are not a new thing. Code analysis was in the software industry for long time, senior developers or Team lead, had responsibility to set-up manual code analysis to maintain the quality of the source code of the software. 3 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 4. 1. What is static code analysis? Static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. Static code analysis, also commonly called "white-box" testing. Source code is available to the testers including many types of testing methods. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards. 4 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 5. 1. What is static code analysis? This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. 5 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 6. 1. What is static code analysis? 6 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 7. 2. Why static code analysis? From last few years, Software code quality and security has went from being a “nice to have” to a necessity, and many organizations. Static code analysis scans ALL code. Static analysis has a higher probability of finding those vulnerabilities. Static code analysis is a method of detecting errors and defects located in the source code of a program without execution. 7 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 8. 2. Why static code analysis? Static code analyzer looks for patterns, defined to them as rules, which can cause those security vulnerability or other code quality problems, necessary for production quality code. Static code analyser are not a new thing, and they are here from long time, but as a senior Java developer or Team lead, you have responsibility to set-up process like automated code analysis, continuous integration, automation testing to keep your project in healthy state and promote best development practices in your team. 8 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 9. 2. Why static code analysis? Static code analyzer looks for patterns, defined to them as rules, which can cause those security vulnerability or other code quality problems, necessary for production quality code. Static code analyser are not a new thing, and they are here from long time, but as a senior Java developer or Team lead, you have responsibility to set-up process like automated code analysis, continuous integration, automation testing to keep your project in healthy state and promote best development practices in your team. 9 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 10. 2. Why static code analysis? 10 Save Precious Remediation Time •Unique “Best Fix Location” algorithm fixes multiple vulnerabilities at a single point •Any developer can do it •Tons of time saved for developers! Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 11. 3. Benefits of static code analysis 11 Effortless Scan = Ease of Use •No complex command-line or wizards required •No dependencies need to be configured •No learning curve when switching between languages •Just throw code at it! Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 12. 3. Benefits of static code analysis 12 Fast Feedback Loop •Incremental scan capability only analyzes new code or modified code •Reduces scanning time by more than 80% •Ideal for continuous integration Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 13. 3. Benefits of static code analysis 13 Provable Results •Provides reasoning and proof with all results •Shows the underlying scan rule to provide root cause Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 14. 3. Benefits of static code analysis 14 Flexible Rules = High Accuracy •Adapt the rule set to your proprietary code and minimize False Positives •Expand the rules to your own compliance requirements and coding best practices •Understand the root cause for each result Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 15. 4. Why Static Code Analysis Is Bad? 15 Static analysis is produces too many false positives. Those are warnings, which are sometime safe to ignore and not really an issue. This creates a lot of work for developers, which then taking them as low priority and eventually stop fixing them. Static code analysers is take too long to run and after some time developers never bother to run them. You can minimize this problem by making static code analysis part of your build process, and not an optional, good to do alternative. Second thing, you must review and write custom rules, so that it won't take too long to execute. Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 16. 5. Available tools 16 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 17. 6. Available tools (usage by developers) 17 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
  • 18. 5. Conclusion 18 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) Static code analysis advantages: • It can find weaknesses in the code at the exact location. • It can be conducted by trained software assurance developers who fully understand the code. • It allows a quicker turn around for fixes. • It is relatively fast if automated tools are used. • Automated tools can scan the entire code base. • Automated tools can provide mitigation recommendations, reducing the research time. • It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.
  • 19. 5. Conclusion 19 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) Static code analysis limitations: • It is time consuming if conducted manually. • Automated tools do not support all programming languages. • Automated tools produce false positives and false negatives. • There are not enough trained personnel to thoroughly conduct static code analysis. • Automated tools can provide a false sense of security that everything is being addressed. • Automated tools only as good as the rules they are using to scan with. • It does not find vulnerabilities introduced in the runtime environment.
  • 20. 7. References 20 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) https://www.owasp.org/index.php/Source_Code_Analysis_Tools https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/ http://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools/ https://www.owasp.org/index.php/Static_Code_Analysis
  • 21. Thank You! 21 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)