Dr. Drew Hwang, CIS, Cal Poly Pomona
Secure Web Development
Online Stores Case
, also called "
Static Code Analysis
Source Code Review
White Box Testing
, is the analysis of computer software that is performed without actually executing programs built from that software. In contrast, analysis performed on executing programs is known as
Static analysis ranks very high on the list of software security best practices.
(source: McGraw, 2004)
: The promise of static analysis is to idntify common coding problems before a program is released. Often, a compiler doesn't indicate security bugs.
: Static analysis examine a program statically without attempting to execute it.
: Manual code review is very time-consuming, and human code reviewer must be sufficiently knowledgeable in security before they can rigorously examine the code. Static analysis tools are faster and dont require the tool operator to have the same level of security expertise as a human reviewer.
Synergy of Static analysis and dynamic analysis
practitioners are more comfortable with the Dynamic Analysis tools, while
practitioners are comfortable with both Static and Dynamic Analysis tools, but can get the most value out of Static Analysis tools.
Static analysis can not solve all your security problems.
If a rule has not been incorporated into the tool to find a particular problem, the tool will never find that problem. In fact, a static analysis tools output still requires human evaluation.
Static analysis will not find problems related to operational deployment environments.
Static analysis relies on the review of static code mostly in static environments.
How It Works
MSDN database code analysis
Static analysis tools typically check
, while a smaller set of them can check
View a list of
Source Code Security Analyzers at SAMATE
- Software Assurance Metrics And Tool Evaluation
Wiki's list of tools for static code analysis
Static analysis (
Department of Homeland Security
Improving ASP.NET Security with Visual Studio 2010 Code Analysis
FxCop for Visual Studio 2010 Premimum
StyleCop for Visual Studio 2010
Code analysis for Visual Studio 2012
Code analysis for Visual Studio 2013
G. McGraw, "Software Security," IEEE Security & Privacy, vol. 2, no. 2, 2004, pp. 8083.
B. Chess and G. McGraw, "Static Analysis for Security," IEEE Security & Privacy, vol. 2, No. 6, 2004, pp. 76-79.