Static Analysis

• Static Analysis, also called "Static Code Analysis," Source Code Review, or White Box Testing, is the analysis of computer software that is performed without actually executing programs built from that software.  In contrast, analysis performed on executing programs is known as Dynamic Analysis.
• Static analysis ranks very high on the list of software security best practices. 
  
  
  (source: McGraw, 2004)

Key Features

• Early: The promise of static analysis is to idntify common coding problems before a program is released. Often, a compiler doesn't indicate security bugs.
• Statically: Static analysis examine a program statically without attempting to execute it. 
• Automatically: Manual code review is very time-consuming, and human code reviewer must be sufficiently knowledgeable in security before they can rigorously examine the code. Static analysis tools are faster and dont require the tool operator to have the same level of security expertise as a human reviewer.

Issues

• Synergy of Static analysis and dynamic analysis: Information Security practitioners are more comfortable with the Dynamic Analysis tools, while Software Development practitioners are comfortable with both Static and Dynamic Analysis tools, but can get the most value out of Static Analysis tools.
• Static analysis can not solve all your security problems. If a rule has not been incorporated into the tool to find a particular problem, the tool will never find that problem. In fact, a static analysis tools output still requires human evaluation. 
• Static analysis will not find problems related to operational deployment environments.  Static analysis relies on the review of static code mostly in static environments.

How It Works

(source: MSDN database code analysis)

Tools

• Static analysis tools typically check source code, while a smaller set of them can check byte code and binary code. 
• View a list of Source Code Security Analyzers at SAMATE - Software Assurance Metrics And Tool Evaluation
• Wiki's list of tools for static code analysis
• Static analysis (Department of Homeland Security)
  

For .NET

• Improving ASP.NET Security with Visual Studio 2010 Code Analysis
• FxCop for Visual Studio 2010 Premimum
• Tutorial 
• Rule Sets
• Demo
• StyleCop for Visual Studio 2010 
• StyleCop Tutorial
• Code analysis for Visual Studio 2012
• Code analysis for Visual Studio 2013
  

References

• G. McGraw, "Software Security," IEEE Security & Privacy, vol. 2, no. 2, 2004, pp. 8083.
• B. Chess and G. McGraw, "Static Analysis for Security," IEEE Security & Privacy, vol. 2, No. 6, 2004, pp. 76-79.