What is a static analysis tool?
As we found out last week, conducting a risk assessment is necessary in order to produce secure apps, but it is also a costly and time consuming process.
In order to make security risk assessment easier, we can use automated tools to inspect the apps against well-known software errors and vulnerabilities. These tools can be divided into two categories:
Static analysis tools.
Dynamic analysis tools.
Static analysis tools analyse the code during the implementation stage of the development life cycle. They scan the source code of the app without actually running the code.
Dynamic analysis tools inspect the app when it is actually running. Often this analysis is performed on the fully working code in the production environment.
Static analysis tools as part of the development environment
In this course we will focus on static code analysis tools. These tools can be integrated with the Integrated Development Environment (IDE) of the developer. This integration makes it easier to detect and fix any security risks during the development phase, which saves time and effort later.
These tools uses different techniques to analyse and detect vulnerabilities in code, such as Data Flow Analysis, and Taint Analysis. Using these tools we can gain a higher level of confidence that we have found any vulnerabilities and flaws in our code.
False positive and false negatives
Static analysis tools are not perfect and can miss report vulnerabilities. This can occur in one of two ways:
False Positive: this is when the tool reports a flaw in the code, when in actual fact the code is perfectly fine.
False Negative: this is when the tool fails to detect a real flaw in the code.
Like all tools, static analysis tools vary in their quality. There are various factors that we can use to compare and rank these tools. These factors include:
low false positives and false negatives
quality of the report and recommendations
stability of the tool, and availability of vendor or community support if needed
support for a wide range of standard vulnerability classifications
configurability and support for customisation
scalability, analysis speed, and support for team working
There are links to further information about static analysis available from the bottom of this page.
© University of Southampton 2017