Static Analysis Tools

 

December 2004

  
 

How Static Analysis Complements other Development Tools :

Since static analysis tools do not always know the context in which a function is used it is common to report false positives. False positives often take time to find in source code and to decide if the problem is a serious bug that needs to be fixed. Each bug found by the analyzer should be reviewed by a discerning expert that can decide which bugs are serious enough to fix. Any modification to the code results in code churn, which can, in turn produce new bugs. Therefore, fixing bugs that don't exist, or pose no threat, can result in an increase in the total number of actual functional or security bugs. This problem can be mitigated by having an expert decide which bugs should be fixed and which reported errors will never be realized and do not need to be changed.

It is important for a tool to allow the user to easily manage false positives. This will not only cut down on the number of false positive results in future builds but will also allow the user to target bug reports which need to be addressed more quickly and easily.

Static analysis tools discover bugs by analyzing source code and simulating runtime environments by using sample data. This is fundamentally different than the environment in which the application will normally be executed. The differences between an actual live machine and a simulated environment can result in false positives as well as missed bugs due to unexpected system states or architecture, the inability to accurately guess possible data values, and failure to mimic complex environmental problems.

Dynamic analysis is a great white box testing technique that can be used to find bugs before release time that may not be discoverable using static analysis. Dynamic Analysis analyzes the code as it executes so that runtime information such as global and system states is available to the application. A good example of Dynamic Analysis is stepping through source code within a debugger while the application is running.

Peer code reviews allow a fresh pair of eyes to look at one developer's code to discover errors or conditions not thought of by the original programmer. This is an important step checking in new or changed code.

Static analysis tools can not find all the bugs in source code, nor can they ensure there will be no bugs at ship time. Like each of the tools in the development toolbox, static analysis tools can only aid in the discovery of bugs. Be careful not to let the usage of static analysis tools lead to a false sense of security; some bugs are runtime dependant and can only be found through real testing and sophisticated dynamic analysis.

<<Previous 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Next>>

Provided by: Security Innovation, The Application Security Company