Static code analysis, also known as static application security testing (SAST), is a method for analyzing an application’s uncompiled source code without executing the code itself. Static code analysis has actually been around longer than most people realize.
The first generation of static code analysis tools emerged around the same time that the Village People were skyrocketing to fame with their hit “Y.M.C.A.”
This first generation, often referred to as Lint, emerged from Bell Labs in the late 1970’s and began by scanning C language source code for suspicious constructs or bugs. The widespread adoption of early static program analysis tools was held back by the numbers of false-positives which turned this promising new solution into shelfware at many organizations. Another sticking point for early static code analysis tools was the fact that they were only able to view a single file during their scans which greatly hindered their accuracy.
Second generation static code analysis solutions began appearing circa 2000 around the widespread fears of disastrous Y2K bugs. This second generation of source code analysis had evolved past single file limitations and began to analyze entire code bases.
The focus switched from checking for suspicious constructs in the code, such as variables being used before being set, division by zero, etc., to identifying runtime defects within the code. While these solutions were vast improvements from the early days of Lint-like scanning, the second generation of static program analysis was held back by the fact that they weren’t able to maintain a high level of accuracy in finding defects in large application with millions of lines of codes when they needed to scale.
The second generation of static analysis tools also moved to a later stage of the software development lifecycle as a part of the code audit, thus lengthening the time between when the code was written and when the bugs were identified and needed to be fixed. The time it takes to reacquaint developers with code that could be weeks, or even months, away from the time that they wrote resulted in much higher costs to the organization as the remediation process was often lengthy. Combined with budget and time constraints, there is no doubt that many issues which were, in fact, critical, could have made it into production simply because of scheduling pressures within the project’s management.
Today we live, and code, in the third generation of static code analysis where the proven accuracy of second-generation solutions was brought back into the hands of developers at earlier stages in the software development lifecycle. One of the hallmarks of modern static code analysis is the integration with the tools that developers are using. In this era of static code analysis, the developers play a larger role in application security and through tools like Checkmarx’s CxSAST their application security maturity increases as they become familiar with common errors in their code and fixing them as they code.
Code review, also known as peer review, is essentially a final check to ensure that an application is free of bugs and flaws, and matches the requirements and functionality set out by the customer.
Secure code review focuses on finding errors in authentication, authorization, security configuration, session management, logging, data validation, error handling, and encryption and can be done either manually or using an automatic solution. Since some applications have hundreds of thousands, or even millions of lines of codes that need to be reviewed, often organizations will choose to adopt a mixture of both automated and manual methodologies to ensure that the code review is both scalable and accurate.
If by “static code review,” you mean the combination of both static analysis and code review, the answer is a resounding YES. Source code analysis will allow your developers to identify and mitigate vulnerabilities during the earlier stages of the development process and a final, secure code review will let you sleep ever sounder at night knowing that your application has undergone a full, comprehensive security test before the application rolls out on production.
Which code review tools are you familiar with? Tell us in the comments below!
To gain a deeper understanding of secure code review best practices and learn the pros and cons of manual and automatic secure code reviews, be sure to read 5 Best Practices for the Perfect Secure Code Review
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.