Software security is no longer just a problem for software designers, developers, and testers. Almost all the white-collar crimes are based on computer security and it is essential for both home and business computers. The operating system vendors are trying to give secured environment. The developers are trying to find the security vulnerability during the early phases of the software development. Source code analysis tools designed for analysis the security flow in the source code during development phase in the software development life cycle (SDLC).
The security analysis tools can be use source code using static analysis and binary application using dynamic analysis using run the data.
Static analysis tools use source for analysis the software security. When the bug finds early in the software development life cycle will cost less. The static analysis tools help to identify the security vulnerability during the development phase.
The dynamic analysis is based on the system execution using binary files. It doesn’t require the source code of the software and often uses for instrumentation. The dynamic analysis might be more complex for design for security test and may not cover full source code coverage.
Static analysis process
Static analysis tools analysis source code without executing the application. It will cover the entire source code execution path for finding the vulnerabilities. The static analysis tools work closely with developer point of view and don’t support more on dynamic data. The static analysis might not solve all the security issues. The static code analysis used the set of rules for security flow and validates based on the rules. The static analysis tools also require manual validation for find false positive.
Pattern matching uses the simple grep tool to ﬁnd all occurrences in the source code for finding the safe and unsafe operations. It might not be very good for complex static analysis.
Basic lexical analysis
A lexer is used to turn the source code into a stream of tokens and the tokens are matched against a database of known vulnerability patterns.
Data-ﬂow analysis is a traditional compiler technique for solving similar problems and can be used as a basis of vulnerability detection systems.
When the data come from the untrusted source, the analysis will inform all locations where the data is used.
Some IDE started to integrate the static analysis tools. The tools can be identify buffer overflows, SQL Injection Flaws, cross side scripting, Format String Bugs, Integer Overﬂows, buffer overflow, Out of bounds array access, Out of bounds array access with a negative array index, Arithmetic overﬂow when allocating an array of objects, Scanf/ getstring buffer overflow, and more security flows.
Open source or Free tools
|FindBugs||Find Bugs in Java Programs||Java|
|FxCop||xCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime)||.NEt|
|PREfast||PREfast is a static analysis tool that identifies defects in C/C++ programs on Windows CE 5.0||C/C++|
|OWASP SWAAT Project||WAAT is an open source web application source code analysis tool. SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the .xml files.||Java, JSP, ASP .Net, and PHP|
|Flawfinder||flawfinder, a program that examines source code and reports possible security weaknesses (“flaws”) sorted by risk level||C and C++|
|RIPS||RIPS is a static source code analyzer for vulnerabilities in PHP web applications. It was released during the Month of PHP Security||detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more|
|CodeSecure||CodeSecure™ is a static source code analysis platform that leverages third generation software verification technologies to identify web application vulnerabilities throughout development.
|ASP.NET, VB.NET, C#, Java/J2EE, JSP, EJB, PHP, Classic ASP and VBScript|
|HP enterprise security products
HP Fortify Software Security Center
|HP Fortify Software Security Center is a suite of tightly integrated solutions for fixing and preventing security vulnerabilities in applications. It eliminates software security risk by ensuring that all business software— whether it is built for the desktop, mobile or cloud—is trustworthy and in compliance with internal and external security mandates.||detect more than 480 types of software security vulnerabilities across 20 development languages—the most in the industry|
|Coverity SAVE™||Coverity SAVE intelligently tests code with a deep understanding of its behavior, criticality and change impact to focus testing on high-risk areas and accurately detect defects often difficult to find through traditional testing.||C, C++, C# and Java|
|Klocwork Truepath||Klocwork Truepath® is the static analysis engine that powers Klocwork’s tools. It accurately identifies critical security and reliability issues through a sophisticated whole program analysis of C/C++, Java and C# code.||C/C++, Java and C# code|
|Parasoft||Parasoft Test’s static analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft’s rule set.||C/C++, Java, .NET|
The following web gives more tools available for static code analysis.
We have discussed many tools for static analysis. The project should consider using the open source or free tools available based on the following considerations.
Cost: The open source might have tools with limited futures. The commercial tools might cost. But, the commercial might support more futures. The project should consider the cost of the application.
Reporting flexibility: The tools support multiple report formats for getting more insights about the vulnerability.
Programming language support: The open source tools don’t support multiple programming languages and environments. But, the commercial tool might support multiple languages and environments (Android, Windows, Linux, etc.).
Good bug-finding performance: The tools might take more time for find the vulnerability. The enterprise types tools might help to identify the issues fast compare then the stand alone applications.
Customize or add rules: The tool support customizes the rules, add or update the rules based on the business requirements.