Static Code Analysis
- Tags
- security
An approach to test computer software security through [see page 11, automated] processes.
Generally SCA refers to automated analysis that's done at compile time, but can also take into account semantics (data-flow and control flow analysis, abstract interpretation, symbolic evaluation, constraint solving, program evaluation and model-checking). [see page 19, Examples] of which include general linting (eg: unused variables), unreachable code detection, missing variable initialisation, etc. See [see page 20, example] static analysis tools.
Static analysis is [see page 11, part] of McGraws touchpoints process.
The Need for Static Code Analysis
Static analysis is [see page 13, needed] because the traditional methods of finding errors (hand written tests, code inspection) make it hard to find security errors because they only arise in unusual circumstances, and the code base is too large for human code inspection.
Formulation
TODO: Replace See with concrete text.
What we're concerned about with static analysis is the [see page 13, rate] of false positives (tool complains about something which isn't an error) and false negatives (tool doesn't discover an error).
We call a [see page 15, finding]:
- Exploitable if it's a true positive.
- Secure if it's a true negative.
An [see page 16, analysis] is:
- sound if it only finds real bugs (0 false-positives).
- complete if it finds all bugs (0 false-negatives)
Languages themselves can also provide security by giving safety guarantees (type safety, memory safety, thread safety) and access control (public, private, protected). See [see page 28, properties] of safe programming languages and how to [see page 30, ensure] safety. Generally languages that have direct access to hardware are less safe than ones that proxy this access (example: java through JVM bytecode).
Review
Static analysis has a low security risk (worst case, you find vulnerabilities) but it's [see page 21, not free]. It costs money to use some commercial tools and all tools require time and effort to learn and use. Furthermore static analysis generally [see page 23, doesn't work] for dynamic memory allocation or concurrency and in many cases these situations are completely ignored by the tool.
See [see page 22, critieria for success]. See comparison of developer vs security expert [see page 17, desires].