One of the fastest growing areas in the software security industry is source code analysis tools, also known as static analysis tools. These tools review source code line by line to detect security vulnerabilities and provide advice on how to remediate problems they find – ideally before the code goes into production.
The entire software security market was worth about $300 million in 2007. It’s estimated that the tools portion of that market doubled from 2006 to 2007 to about $180 million. About half of that is attributable to static analysis tools, which amounted to about $91.9 million.
- Your Title Goes Here 90%
Despite the high degree of awareness, many companies are behind the curve in their use of static analysis tools, possibly due to the big process changes that these tools entail.
Key Decisions in Source Code Analysis
1 Should you start with static tools or dynamic tools or use both?
In addition to static analysis, which reviews code before it goes live, there are also dynamic analysis tools, which conduct automated scans of production Web applications to unearth vulnerabilities. In other words, dynamic tools test from the outside in, while static tools test from the inside out.
Many organizations start with dynamic testing, just to get a quick assessment of where their applications stand. In some cases, the groups that start this initiative are in security or audit compliance departments and don’t have access to source code. The natural second step is to follow up with static analyzers, enabling developers to fix the problems found by dynamic analysis tools. Some companies continue using both, because each type yields different findings.
An important differentiator between the two types is that static analyzers give you the exact line of code causing the problem, while dynamic analyzers just identify the Web page or URL causing the issue. That’s why some vendors offer integration between the two types of tools.
According to the chief scientist at a large software vendor, dynamic assessment tools tend to be brute force. You have to hit every parameter to find the vulnerabilities, whereas static tools investigate the whole landscape of the application.
2 Do you have the source code?
Most static analyzers scan source code, but what happens if you want to analyze third-party software or code written so long ago that you only have the executable? In that case you could try a tool that offers binary code scanning through a software as a service platform. A vendor may not be willing to give you source code, but they will give you executables or binary in many cases.