Page 27 - index
P. 27
%#30% .30 .$% )2( -!+71)1 -$ #!--)-'
By Art Dahnert, Security Product Manager, Klocwork, a Rogue Wave Company
More and more development teams are standardizing on static code analysis and open
source scanning to reduce their risk of encountering security breaches in the field. These
tools find the vulnerabilities for you, so you don’t have to spend time, money, and skill sets
worrying about them. It boils down to three things: knowing where your risks are, checking in
more secure code, and reducing the probability of attack.
What does static code analysis do?
Static code analysis (SCA) is the automated identification of programmatic, semantic, and
security errors in code. There are simple analysis tools out there, no more than glorified
compilers, but more sophisticated tools take into account all the control and data flow
interactions within the application and check for compliance against common industry
standards.
Consider a function that dereferences a pointer set by another function. Manual unit testing
of either function in isolation may not reveal that the pointer being dereferenced could be
NULL. Static code analysis, on the other hand, would find the problem. Going further,
consider the same situation but having the two functions developed by two different teams.
The chances of the NULL pointer dereference reaching the customer becomes higher if the
test coverage isn’t there.
It’s not surprising, then, that Capers Jones of Namcook Analytics found that, without tools
and processes like static code analysis, developers are less than 50 percent efficient at
finding bugs in their own software.
What does open source scanning do?
Developers have nearly limitless options when it comes to finding and downloading open
source code and they often include this code in any number of ways and amounts.
Understanding and tracking open source use isn’t usually a priority for developers when their
primary focus is on delivering features.
Scanning tools offer an automated and repeatable method for understanding the scope and
depth of open source use within a company. Not only do they free up time to focus on other
development efforts, they also remove any element of human error. Given that open source
packages can contain other open source packages and that even just a few lines of reused
code can contain risks, scanning tools are the only reliable choice to know exactly what’s
going on within your code base. Sophisticated open source scanning also comes with open
source support, to help you understand the software packages better.
How do these tools reduce security risks?
Static analysis helps developers deal with well-known but hard to understand security
vulnerabilities. Take a buffer overflow as an example: when a buffer of insufficient or
untrusted size is used to copy into memory, the application is potentially vulnerable. Buffer
overflows cover so many different forms of exploits (such as the well-known Heartbleed flaw)
! " $
! # ! "
