Understanding Static and Dynamic Analysis in Software Development
Explore the significance of static and dynamic analysis in software development, how they help find bugs earlier, and why they are crucial for code security. Learn about static application security testing (SAST), data flow analysis, and automated systems integrated into workflows for enhanced security testing during coding. Discover the benefits and challenges of utilizing tools for static application security testing.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Static and Dynamic Analysis checking code out ahead of use
Static Analysis more than just reading code can apply to any level source assembly binary and any layers above, below, or in-between
Static Analysis cost In general, the farther away from the dev process a bug is found, the more it costs to fix it proximity
Static and Dynamic Analysis why? money find bugs earlier, which means cheaper performance smaller, faster, better adherence to standards/agreements security look for vulnerabilities before they are exploited
SAST (static application security testing) the static part means not running by looking at the code, either manually or using tools, as opposed to while the code is running this starts during development, as part of normal cycles of coding by the developer(s). software development processes usually have some type of static code-review, where one can get fresh eyes on the code
SAST then come the tools both boon and bane they are easy to write, fun to write, & can form easy (often self-deluding) ideas for a new business reliance on tools, especially in place of a strong understanding of fundamentals, can be a major weakness Trend of tools moving into the IDE
Data Flow Analysis + Taint Analysis Taint Analysis attempts to identify variables that have been tainted with user controllable input and traces them to possible vulnerable functions also known as a sink . If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability. Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI. --owasp.org https://owasp.org/www-community/controls/Static_Code_Analysis https://youtu.be/VQkFhrXvRbw?t=1426
Automated systems integrated into workflows can enable developers to perform quick security tests as they code and ingest remediation information without leaving the IDE. --thenewstack.io this is the pitch By bringing security detection and remediation right into the integrated development environment (IDE), and delivering that information to developers as they work, security-focused IDE plugins let you build security into your code without impeding workflows
Knowledge of fundamentals + Reading the code is still usually a better ROI still, if a tool finds one thing you missed even though you had complete understanding, it can be hard to argue against as long as the burden of use is not too high
SAST then come the tools both boon and bane Fortify - https://en.wikipedia.org/wiki/Fortify_Software (now HP) Klockwork - https://www.perforce.com/products/klocwork Coverity - https://www.synopsys.com/software-integrity/security-testing.html LVM Clang static analyser - http://clang-analyzer.llvm.org/ (open source) FindBugs - http://findbugs.sourceforge.net/ Clang,cpp-check C/C++ tools RATS RE driven
Static analysis tools examples FindBugs - Java tool http://www.cs.umd.edu/~pugh/MistakesThatMatter.pdf last release 2015, the pdf is still a good read, on static analysis in general as well as an introduction to FindBugs 18. Injection 22. Java version of f1.c, returning the address of a variable on the stack 33. Synchronization 35. Testing 36. Dead code, code coverage
FindBugs might be more useful as an untested code detector than as a bug detector > Overall, testing is more valuable than static analysis
also, take a look at: checkstyle pmd - https://pmd.github.io/ these tools/plugins/platforms/processes come and go, why bother to spend time with one, but not with the next? what is the metric?
Static analysis tools examples Clang Cpp-check C,C++ https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#C,_C++ get a copy of /home/engine on 147.182.177.199 and run cppcheck $ cd /home $ cp r engine ~ $ cd ~/engine $ cppcheck [--force] . 2>errors
Static analysis tools examples Clang Cpp-check C,C++ https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#C,_C++ try again with openssl: 147.182.177.199:/home/openssl-master
The main advantage of static analysis is that it finds issues with the code before it is ready for integration and further testing. The problems are found at the exact location where they occur amazing, no? (as opposed to what/where?) Weaknesses are found earlier in the development life cycle, reducing the cost to fix. Tools can sometimes be used by testing (non dev) staff
but: can take a lot of time, especially when done manually tools produce false positives & negatives, often a LOT of them. need some level of technical understanding tools can provide a false sense of security that everything was found. the rules, and nothing but the rules, it s all about the rules
