Software security is no longer just a problem for software designers, developers, and testers. Almost all the white-collar crimes are based on computer security and it is essential for both home and business computers. The operating system vendors are trying to give secured environment. The developers are trying to find the security vulnerability during the early phases of the software development. Source code analysis tools designed for analysis the security flow in the source code during development phase in the software development life cycle (SDLC).


Analysis types

The security analysis tools can be use source code using static analysis and binary application using dynamic analysis using run the data.

Static analysis

Static analysis tools use source for analysis the software security. When the bug finds early in the software development life cycle will cost less. The static analysis tools help to identify the security vulnerability during the development phase.

Dynamic analysis

The dynamic analysis is based on the system execution using binary files. It doesn’t require the source code of the software and often uses for instrumentation. The dynamic analysis might be more complex for design for security test and may not cover full source code coverage.


Static analysis process

Static analysis tools analysis source code without executing the application. It will cover the entire source code execution path for finding the vulnerabilities. The static analysis tools work closely with developer point of view and don’t support more on dynamic data. The static analysis might not solve all the security issues. The static code analysis used the set of rules for security flow and validates based on the rules. The static analysis tools also require manual validation for find false positive.

Pattern matching

Pattern matching uses the simple grep tool to find all occurrences in the source code for finding the safe and unsafe operations. It might not be very good for complex static analysis.

Basic lexical analysis

A lexer is used to turn the source code into a stream of tokens and the tokens are matched against a database of known vulnerability patterns.


Data-flow analysis

Data-flow analysis is a traditional compiler technique for solving similar problems and can be used as a basis of vulnerability detection systems.


Taint Analysis

When the data come from the untrusted source, the analysis will inform all locations where the data is used.


Some IDE started to integrate the static analysis tools. The tools can be identify buffer overflows, SQL Injection Flaws, cross side scripting, Format String Bugs, Integer Overflows, buffer overflow, Out of bounds array access, Out of bounds array access with a negative array index, Arithmetic overflow when allocating an array of objects, Scanf/ getstring buffer overflow, and more security flows.



Open source or Free tools

Tool Name Description Languages
FindBugs Find Bugs in Java Programs Java
FxCop xCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) .NEt
PMD MD is a source code analyzer. It finds unused variables, empty catch blocks, unnecessary object creation, and so forth. Java, JavaScript, XML, XSL, JSP
PREfast PREfast is a static analysis tool that identifies defects in C/C++ programs on Windows CE 5.0 C/C++
OWASP SWAAT Project WAAT is an open source web application source code analysis tool. SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the .xml files. Java, JSP, ASP .Net, and PHP
Flawfinder flawfinder, a program that examines source code and reports possible security weaknesses (“flaws”) sorted by risk level C and C++
RIPS RIPS is a static source code analyzer for vulnerabilities in PHP web applications. It was released during the Month of PHP Security detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more




Commercial Tools

Tool Name Description Languages
IBM Security AppScan Source Edition IBM Security AppScan Source analyzes source code to identify security vulnerabilities while integrating application security testing with software development processes. COBOL, Java and .NET java™, ClientSide JavaScript, JSP, ColdFusion, C, C++, .NET (C#, ASP.NET, and VB.NET), Classic ASP (JavaScript/VBScript), PHP, Perl, VisualBasic 6, PL/SQL, T-SQL, and COBOL
CodeSecure CodeSecure™ is a static source code analysis platform that leverages third generation software verification technologies to identify web application vulnerabilities throughout development.


ASP.NET, VB.NET, C#, Java/J2EE, JSP, EJB, PHP, Classic ASP and VBScript
HP enterprise security products

HP Fortify Software Security Center

HP Fortify Software Security Center is a suite of tightly integrated solutions for fixing and preventing security vulnerabilities in applications. It eliminates software security risk by ensuring that all business software— whether it is built for the desktop, mobile or cloud—is trustworthy and in compliance with internal and external security mandates. detect more than 480 types of software security vulnerabilities across 20 development languages—the most in the industry
Checkmarx’s Application security Checkmarx CxSuite® is a powerful Source Code Analysis (SCA) solution designed for identifying, tracking and fixing technical and logical security flaws from the root: the source code. Java, C# / .NET, PHP, C, C++, Visual Basic 6.0, VB.NET, Flash, APEX, Ruby, Javascript, ASP, Perl, Android, Objective C.
Coverity SAVE™ Coverity SAVE intelligently tests code with a deep understanding of its behavior, criticality and change impact to focus testing on high-risk areas and accurately detect defects often difficult to find through traditional testing. C, C++, C# and Java
Klocwork Truepath Klocwork Truepath® is the static analysis engine that powers Klocwork’s tools. It accurately identifies critical security and reliability issues through a sophisticated whole program analysis of C/C++, Java and C# code. C/C++, Java and C# code
Parasoft Parasoft Test’s static analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft’s rule set. C/C++, Java, .NET


The following web gives more tools available for static code analysis.



We have discussed many tools for static analysis. The project should consider using the open source or free tools available based on the following considerations.

Cost: The open source might have tools with limited futures. The commercial tools might cost. But, the commercial might support more futures. The project should consider the cost of the application.

Reporting flexibility: The tools support multiple report formats for getting more insights about the vulnerability.

Programming language support: The open source tools don’t support multiple programming languages and environments. But, the commercial tool might support multiple languages and environments (Android, Windows, Linux, etc.).

Good bug-finding performance: The tools might take more time for find the vulnerability. The enterprise types tools might help to identify the issues fast compare then the stand alone applications.

Customize or add rules: The tool support customizes the rules, add or update the rules based on the business requirements.

Static Analysis Tools for security

Leave a Reply

1 Comment on "Static Analysis Tools for security"

Notify of
Sort by:   newest | oldest | most voted

A static code analyzer PVS-Studio, previously available only for large companies, can now be used by individual developers. In the end of 2016, PVS-Studio team made a gift to the users releasing a free version of the product.
Learn how to use a full version of the static analyzer without paying a cent, from this article