What is static analysis?
Performed on requirement design or code without actually executing the software or before the code is actually run.
Goal of static analysis is to find the defects whether or not they may cause failure.
Static analysis find defects rather than failures.
Types of static analysis
There are several static analysis methods an organization could use, which include:
- Control analysis : focuses on the control flow in a calling structure. For example, a control flow could be a process, function, method or in a subroutine.
- Data analysis : makes sure defined data is properly used while also making sure data objects are properly operating.
- Fault/failure analysis : analyzes faults and failures in model components.
- Interface analysis : verifies simulations to check the code and makes sure the interface fits into the model and simulation.
In a broader sense, with less official categorization, static analysis can be broken into formal, cosmetic, design properties, error checking and predictive categories. Formal meaning if the code is correct; cosmetic meaning if the code syncs up with style standards; design properties meaning the level of complexities; error checking which looks for code violations; and predictive, which asks how code will behave when run.
The strengths and weakness of static analysis
For static analysis strengths are:
- A more thorough approach and more cost-efficient
- It is able to find future errors that would not be detected in dynamic analysis
- It can point out the exact spot in code where there is an error, so you can easily fix it
However, there is one big weakness of static analysis:
You may think it’s a better method than dynamic analysis, but the dynamic analysis is equally important. Because the static analysis is not going to catch some of the run-time errors that dynamic analysis would
Who Should Run Static Code Analysis and Why?
- Software developers: Best practices recommend checking for bugs and coding standards as soon as code is written. Errors detected early in the development process are much easier to debug and fix.
- Software testers: After application code has been integrated, it is recommended to run deep static code analysis on the integrated code to find defects and prove the absence of critical run-time errors.
- Project managers and quality assurance leads: Static code analysis tools produce code quality metrics that can be used to monitor software quality, project status, number of defects, and quality trends.
How to do static analysis testing?
There are six simple steps needed to perform SAST efficiently in organizations that have a very large number of applications built with different languages, frameworks, and platforms.
- Finalize the tool: Select a static analysis tool that can perform code reviews of applications written in the programming languages you use. The tool should also be able to comprehend the underlying framework used by your software.
- Create the scanning infrastructure, and deploy the tool: This step involves handling the licensing requirements, setting up access control and authorization, and procuring the resources required (e.g., servers and databases) to deploy the tool.
- Customize the tool: Fine-tune the tool to suit the needs of the organization. For example, you might configure it to reduce false positives or find additional security vulnerabilities by writing new rules or updating existing ones. Integrate the tool into the build environment, create dashboards for tracking scan results, and build custom reports.
- Prioritize and onboard applications: Once the tool is ready, onboard your applications. If you have a large number of applications, prioritize the high-risk applications to scan first. Eventually, all your applications should be onboarded and scanned regularly, with application scans synced with release cycles, daily or monthly builds, or code check-ins.
- Analyze scan results: This step involves triaging the results of the scan to remove false positives. Once the set of issues is finalized, they should be tracked and provided to the deployment teams for proper and timely remediation.
- Provide governance and training: Proper governance ensures that your development teams are employing the scanning tools properly. The software security touchpoints should be present within the SDLC. SAST should be incorporated as part of your application development and deployment process.
What kind of problems can static analysis find?
Static analysis is a powerful tool to ensure software quality and robustness, and can find a number of issues in code before execution. Some of these categories of issues are:
- Potential security vulnerabilities
- Bug risks and anti-patterns
- Violation of code style guidelines
- Performance issues
- Dead or unused code