Static Analysis

If there is any bright spot in the recent Covid-19 mess, it is software’s ability to connect the world and enable nearly every major facet of modern life to persist. When Software fails to work as expected, negative implications are worse than ever. One of the examples is Zoom outrage. Bugs are bad and we should remove them as early as possible when working on a software product. Typically, we write tests (such as unit tests, regression test, and smoke test) to execute parts of the developed code to ensure that developed code behaved as expected and to identify run-time bugs. Static Analysis finds problems in source code before the program executes. These alerts may range from simple coding errors to deep structural problems by sophisticated data flow analysis.

Static Analysis plays a key role before Software Testing begins. It makes sure that code that you pass on to testing is the highest quality possible. And if you choose the right Static Analyzer, it speeds up the development process. Static Analysis finds potential quality issues in your code before you run your program. This includes Programming errors, Coding Standard Violations, and Security Weakness. Static Analysers are particularly good at finding coding issues, such as buffer overflows, memory leaks, and null pointers. Code reviews is one of the best ways to reduce defect rate in software product but there is a significant cost in man-hours to them. Also, Static analysers makes developers to practice the best coding guidelines which helps in improving the quality over long term

Static Code Analysis is usually incorporated at any stage after the “Code Development phase” and before “Unit / Component / Integration” testing phases. In some cases, CI / CD pipelines incorporate Static analysis reports as a quality gate for code promotion.

Static Analysis in Support of Security:

Static Analysis can support security vulnerability detection, alongside bug detection, quality metrics and Coding Standard conformance. For security testing, techniques such as data flow analysis are used to trace the flow of potential user inputs through program code and flag locations where unsensitized data may be processed.

Static Analysis in support of functional safety and coding standards:

Static Analysis tools are mandated by functional safety standards like ISO 26262 or EN 50128 for their ability to detect hard-to-find defects and improve security of a software product. Static analysis tools also help software teams to conform to coding standards used primarily to validate secure coding, such as CERT, OWASP, CWE, MISRA and so on.

Benefits of Static Code Analysis:

•    Work on Large Volumes of Code: Static Analysis Tools can review any number of lines of code including object code and libraries for defects and vulnerabilities.
•    Detection of Security Vulnerabilities: Static Analysis tools can point out Vulnerabilities and insecure coding practices.
•    Tool Integrations: These tools can be integrated easily with various IDE’s like Eclipse, build systems like Jenkins, Version Control Systems like GitHub, and bug reporting tool like JIRA. 
•    Reduce the review effort: By running these tools on code before it is reviewed, it reduces the number of defects in the code to be discovered manually.

Limitations of Static Code Analysis:

•    It is time consuming if conducted manually
•    Automated tools do not support all languages
•    Automated tools produce false positives and false negatives
•    Automated tools can provide false sense of security that everything is being addressed
•    It does not find vulnerabilities introduced in runtime environment