Before we can dig deeper into the topic of static analysis, we must first understand how it works. Once a foundation has been established, we’ll then analyze a variety of scenarios to determine when static analysis tools are the best method to find security bugs.
Static analysis refers to the examination of a piece of software without executing it. In the world of security, it refers to discovering security related bugs in software without actually running the software. Static code analysis is a white box method of testing, meaning that the tester has access to the underlying framework, design, and structure of the software. The process typically includes examining the code structure, studying the various data and control flows, and referring to the configuration settings to discover various types of security bugs.
Static code analysis can be automated or conducted manually. An automated review uses static analysis tools to discover bugs. It is faster than a manual review and generally provides better code coverage. Static analysis tools are effective at finding common security bugs. A manual review, on the other hand, is better at discovering complex bugs such as those related to authentication. The manual approach can also be very effective at analyzing business logic for security bugs. Manual reviews take more time but they’re more thorough and the bugs discovered have a very high confidence rate.
Static analysis tools provide developers with accurate and timely code feedback and are often integrated near the end of the software development life cycle (SDLC). Tools can provide excellent insight into the quality of the developed code.
The following considerations must be made when adopting the usage of static analysis tools:
Static code analysis tools work best under these favorable conditions. However, in many cases, they need to be combined with other techniques like manual code review to complement the tools with the expertise of a human. Humans, unlike these scanning tools, are able to understand the context of the software and goals of the business.
Multiple techniques like static analysis, dynamic analysis, and manual code review are often used in conjunction within the SDLC to get a comprehensive analysis of the software at hand.