In this presentation, I explain about "what is Static Code Analysis & Tools" with sub topics including,
1. What is static code analysis?
2. Why of static code analysis?
3. Benefits of static code analysis?
4. Why static code analysis is bad?
5. Available Tools
1. What Is Static Code Analysis
&
Static Code Analysis Tools
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)
2. Content
1. What is static code analysis?
2. Why of static code analysis?
3. Benefits of static code analysis?
4. Why static code analysis is bad?
5. Available Tools
6. Conclusion
7. References
2
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
3. 1. What is static code analysis?
Code analysis are not a new thing.
Code analysis was in the software industry for long time, senior developers or
Team lead, had responsibility to set-up manual code analysis to maintain the
quality of the source code of the software.
3
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
4. 1. What is static code analysis?
Static code analysis, is a method of computer program debugging that is done by
examining the code without executing the program.
Static code analysis, also commonly called "white-box" testing. Source code is
available to the testers including many types of testing methods.
The process provides an understanding of the code structure, and can help to
ensure that the code adheres to industry standards.
4
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
5. 1. What is static code analysis?
This method of security testing has distinct advantages in that it can evaluate both
web and non-web applications and through advanced modeling, can detect flaws
in the software’s inputs and outputs that cannot be seen through dynamic web
scanning alone.
5
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
6. 1. What is static code analysis?
6
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
7. 2. Why static code analysis?
From last few years, Software code quality and security has went from being a
“nice to have” to a necessity, and many organizations.
Static code analysis scans ALL code.
Static analysis has a higher probability of finding those vulnerabilities.
Static code analysis is a method of detecting errors and defects located in the
source code of a program without execution.
7
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
8. 2. Why static code analysis?
Static code analyzer looks for patterns, defined to them as rules, which can cause
those security vulnerability or other code quality problems, necessary for
production quality code.
Static code analyser are not a new thing, and they are here from long time, but as
a senior Java developer or Team lead, you have responsibility to set-up process like
automated code analysis, continuous integration, automation testing to keep your
project in healthy state and promote best development practices in your team.
8
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
9. 2. Why static code analysis?
Static code analyzer looks for patterns, defined to them as rules, which can cause
those security vulnerability or other code quality problems, necessary for
production quality code.
Static code analyser are not a new thing, and they are here from long time, but as
a senior Java developer or Team lead, you have responsibility to set-up process like
automated code analysis, continuous integration, automation testing to keep your
project in healthy state and promote best development practices in your team.
9
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
10. 2. Why static code analysis?
10
Save Precious Remediation
Time
•Unique “Best Fix Location” algorithm fixes
multiple vulnerabilities at a single point
•Any developer can do it
•Tons of time saved for developers!
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
11. 3. Benefits of static code analysis
11
Effortless Scan = Ease of Use
•No complex command-line or wizards required
•No dependencies need to be configured
•No learning curve when switching between
languages
•Just throw code at it!
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
12. 3. Benefits of static code analysis
12
Fast Feedback Loop
•Incremental scan capability only analyzes
new code or modified code
•Reduces scanning time by more than 80%
•Ideal for continuous integration
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
13. 3. Benefits of static code analysis
13
Provable Results
•Provides reasoning and proof with all
results
•Shows the underlying scan rule to provide
root cause
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
14. 3. Benefits of static code analysis
14
Flexible Rules = High Accuracy
•Adapt the rule set to your proprietary
code and minimize False Positives
•Expand the rules to your own
compliance requirements and coding best
practices
•Understand the root cause for each
result
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
15. 4. Why Static Code Analysis Is Bad?
15
Static analysis is produces too many false positives. Those are warnings, which are
sometime safe to ignore and not really an issue. This creates a lot of work for
developers, which then taking them as low priority and eventually stop fixing
them.
Static code analysers is take too long to run and after some time developers never
bother to run them. You can minimize this problem by making static code analysis
part of your build process, and not an optional, good to do alternative. Second
thing, you must review and write custom rules, so that it won't take too long to
execute.
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
17. 6. Available tools (usage by developers)
17
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
18. 5. Conclusion
18
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
Static code analysis advantages:
• It can find weaknesses in the code at the exact location.
• It can be conducted by trained software assurance developers who fully
understand the code.
• It allows a quicker turn around for fixes.
• It is relatively fast if automated tools are used.
• Automated tools can scan the entire code base.
• Automated tools can provide mitigation recommendations, reducing the research
time.
• It permits weaknesses to be found earlier in the development life cycle, reducing
the cost to fix.
19. 5. Conclusion
19
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
Static code analysis limitations:
• It is time consuming if conducted manually.
• Automated tools do not support all programming languages.
• Automated tools produce false positives and false negatives.
• There are not enough trained personnel to thoroughly conduct static code
analysis.
• Automated tools can provide a false sense of security that everything is being
addressed.
• Automated tools only as good as the rules they are using to scan with.
• It does not find vulnerabilities introduced in the runtime environment.
20. 7. References
20
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/
http://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools/
https://www.owasp.org/index.php/Static_Code_Analysis
21. Thank You!
21
Rohana K Amarakoon
MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)