Uploaded byRohana K Amarakoon
What is Static Code Analysis & Tools
In this presentation, I explain about "what is Static Code Analysis & Tools" with sub topics including, 1. What is static code analysis? 2. Why of static code analysis? 3. Benefits of static code analysis? 4. Why static code analysis is bad? 5. Available Tools
What is Static Code Analysis & Tools
- 1. What Is StaticCode Analysis & Static Code Analysis Tools Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)
- 2. Content 1. What isstatic code analysis? 2. Why of static code analysis? 3. Benefits of static code analysis? 4. Why static code analysis is bad? 5. Available Tools 6. Conclusion 7. References 2 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 3. 1. What isstatic code analysis? Code analysis are not a new thing. Code analysis was in the software industry for long time, senior developers or Team lead, had responsibility to set-up manual code analysis to maintain the quality of the source code of the software. 3 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 4. 1. What isstatic code analysis? Static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. Static code analysis, also commonly called "white-box" testing. Source code is available to the testers including many types of testing methods. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards. 4 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 5. 1. What isstatic code analysis? This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. 5 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 6. 1. What isstatic code analysis? 6 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 7. 2. Why staticcode analysis? From last few years, Software code quality and security has went from being a “nice to have” to a necessity, and many organizations. Static code analysis scans ALL code. Static analysis has a higher probability of finding those vulnerabilities. Static code analysis is a method of detecting errors and defects located in the source code of a program without execution. 7 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 8. 2. Why staticcode analysis? Static code analyzer looks for patterns, defined to them as rules, which can cause those security vulnerability or other code quality problems, necessary for production quality code. Static code analyser are not a new thing, and they are here from long time, but as a senior Java developer or Team lead, you have responsibility to set-up process like automated code analysis, continuous integration, automation testing to keep your project in healthy state and promote best development practices in your team. 8 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 9. 2. Why staticcode analysis? Static code analyzer looks for patterns, defined to them as rules, which can cause those security vulnerability or other code quality problems, necessary for production quality code. Static code analyser are not a new thing, and they are here from long time, but as a senior Java developer or Team lead, you have responsibility to set-up process like automated code analysis, continuous integration, automation testing to keep your project in healthy state and promote best development practices in your team. 9 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 10. 2. Why staticcode analysis? 10 Save Precious Remediation Time •Unique “Best Fix Location” algorithm fixes multiple vulnerabilities at a single point •Any developer can do it •Tons of time saved for developers! Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 11. 3. Benefits ofstatic code analysis 11 Effortless Scan = Ease of Use •No complex command-line or wizards required •No dependencies need to be configured •No learning curve when switching between languages •Just throw code at it! Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 12. 3. Benefits ofstatic code analysis 12 Fast Feedback Loop •Incremental scan capability only analyzes new code or modified code •Reduces scanning time by more than 80% •Ideal for continuous integration Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 13. 3. Benefits ofstatic code analysis 13 Provable Results •Provides reasoning and proof with all results •Shows the underlying scan rule to provide root cause Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 14. 3. Benefits ofstatic code analysis 14 Flexible Rules = High Accuracy •Adapt the rule set to your proprietary code and minimize False Positives •Expand the rules to your own compliance requirements and coding best practices •Understand the root cause for each result Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 15. 4. Why StaticCode Analysis Is Bad? 15 Static analysis is produces too many false positives. Those are warnings, which are sometime safe to ignore and not really an issue. This creates a lot of work for developers, which then taking them as low priority and eventually stop fixing them. Static code analysers is take too long to run and after some time developers never bother to run them. You can minimize this problem by making static code analysis part of your build process, and not an optional, good to do alternative. Second thing, you must review and write custom rules, so that it won't take too long to execute. Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 16. 5. Available tools 16 RohanaK Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 17. 6. Available tools(usage by developers) 17 Rohana K Amarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading)
- 18. 5. Conclusion 18 Rohana KAmarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) Static code analysis advantages: • It can find weaknesses in the code at the exact location. • It can be conducted by trained software assurance developers who fully understand the code. • It allows a quicker turn around for fixes. • It is relatively fast if automated tools are used. • Automated tools can scan the entire code base. • Automated tools can provide mitigation recommendations, reducing the research time. • It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.
- 19. 5. Conclusion 19 Rohana KAmarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) Static code analysis limitations: • It is time consuming if conducted manually. • Automated tools do not support all programming languages. • Automated tools produce false positives and false negatives. • There are not enough trained personnel to thoroughly conduct static code analysis. • Automated tools can provide a false sense of security that everything is being addressed. • Automated tools only as good as the rules they are using to scan with. • It does not find vulnerabilities introduced in the runtime environment.
- 20. 7. References 20 Rohana KAmarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (Reading) https://www.owasp.org/index.php/Source_Code_Analysis_Tools https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/ http://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools/ https://www.owasp.org/index.php/Static_Code_Analysis
- 21. Thank You! 21 Rohana KAmarakoon MBA (Aus), MBCS (UK), B.Sc special (IS- Sri Lanka), PMP (US - Reading)