Static code analysis, also known as source code analysis, is typically performed as part of a code review and takes place during the implementation phase of a Security Development Lifecycle (SDL).
Static code analysis usually refers to the use of tools that attempt to detect possible vulnerabilities in the "static" non-running source code. This method represents a white-box test.
Basically, a distinction is made between dynamic and static test procedures. Dynamic testing methods, such as Dynamic Application Security Testing (DAST), test functionality while executing code. Unit, pen and function tests, for example, fall into this category. Static test procedures, on the other hand, include manual reviews and static code analysis. Static means that the program is not executed, but the test is performed only on the basis of the source code.
There are several techniques to analyze static source code for potential vulnerabilities that may be combined into a solution. These techniques are often derived from compiler technologies.
Data flow analysis is used to collect runtime (dynamic) information about data in software while it is in a static state. There are three common terms used in data flow analysis: Basic Design (the code), Control Flow Analysis (the data flow), and Control Flow Path (the path the data takes).In data flow analysis, the state of a variable along a path is considered. To do this, first a graph of the program (or a function) is formed that includes all paths. Afterwards it is noted, which actions along each path with this variable are accomplished. One can differentiate between four different actions. The first patterns need not necessarily be errors, but may also have been intentional.
Control flow analysis analyzes the program flow. For example, code fragments are found that can never be reached in the program execution. Often compilers already detect such errors (for example, the Java compiler javac). Such code does not necessarily lead to errors. However, it is highly probable that the programmer of this fragment intended a different program flow.
Taint analysis attempts to identify variables that have been "tainted" with user-defined input and traces them to possible vulnerable functions, also known as "sinks". If the variable is passed to a sink without being "cleaned" first, it is marked as a vulnerability.
In syntax analysis, often called lexical analysis, the source code is checked against syntax and grammar rules. Tools that perform syntax analysis are compilers and interpreters. The syntax analysis takes place thereby with each compiler run. If an error is detected, an error message is generated and the compilation process is aborted. With the style analysis sets of rules are used, which concern the programming style. On the one hand these can be for example company-internal coding style guides. Thus the code within a company is kept uniform and is thus simpler to read and/or maintain. On the other hand it can be however also programming language-specific guidelines. The aim of these guidelines is to avoid unsafe programming constructs. In many safety-critical areas of software in embedded systems, compliance with such standards is even mandatory.
Our employees regularly publish articles on the subject of IT security