Static Analysis

  • Static Analysis, also called "Static Code Analysis," Source Code Review, or White Box Testing, is the analysis of computer software that is performed without actually executing programs built from that software.  In contrast, analysis performed on executing programs is known as Dynamic Analysis.
  • Static analysis ranks very high on the list of software security best practices. 

    Security Development Lifecycle
    (source: McGraw, 2004)

Key Features

  • Early: The promise of static analysis is to idntify common coding problems before a program is released. Often, a compiler doesn't indicate security bugs.
  • Statically: Static analysis examine a program statically without attempting to execute it. 
  • Automatically: Manual code review is very time-consuming, and human code reviewer must be sufficiently knowledgeable in security before they can rigorously examine the code. Static analysis tools are faster and dont require the tool operator to have the same level of security expertise as a human reviewer.


  • Synergy of Static analysis and dynamic analysis: Information Security practitioners are more comfortable with the Dynamic Analysis tools, while Software Development practitioners are comfortable with both Static and Dynamic Analysis tools, but can get the most value out of Static Analysis tools.
  • Static analysis can not solve all your security problems. If a rule has not been incorporated into the tool to find a particular problem, the tool will never find that problem. In fact, a static analysis tools output still requires human evaluation. 
  • Static analysis will not find problems related to operational deployment environments.  Static analysis relies on the review of static code mostly in static environments.

How It Works

MSDN database code analysis
(source: MSDN database code analysis)


For .NET


  • G. McGraw, "Software Security," IEEE Security & Privacy, vol. 2, no. 2, 2004, pp. 8083.
  • B. Chess and G. McGraw, "Static Analysis for Security," IEEE Security & Privacy, vol. 2, No. 6, 2004, pp. 76-79.