Static code review, as a phrase, is actually a bit misleading. Static code review refers to two divergent methods of security testing: static code analyis and code review.
These methods check code for flaws, security issues and quality concerns that, when combined, help developers ensure that their code is not only free from potential exploits but also fits the requirements set forth by the organization or their customers.
What is Static Code Analysis?
Static code analysis, also known as static application security testing (SAST), is a method for analyzing an application’s uncompiled source code without executing the code itself. Static code analysis has actually been around longer than most people realize.
From Y.M.C.A. to Y2K: A Brief History of Source Code Analysis
First Generation Static Code Analysis
The first generation of static code analysis tools emerged around the same time that the Village People were skyrocketing to fame with their hit “Y.M.C.A.”
This first generation, often referred to as Lint, emerged from Bell Labs in the late 1970’s and began by scanning C language source code for suspicious constructs or bugs. The widespread adoption of early static program analysis tools was held back by the numbers of false-positives which turned this promising new solution into shelfware at many organizations. Another sticking point for early static code analysis tools was the fact that they were only able to view a single file during their scans which greatly hindered their accuracy.
Second Generation Static Code Analysis
Second generation static code analysis solutions began appearing circa 2000 around the widespread fears of disastrous Y2K bugs. This second generation of source code analysis had evolved past single file limitations and began to analyze entire code bases.
The focus switched from checking for suspicious constructs in the code, such as variables being used before being set, division by zero, etc., to identifying runtime defects within the code. While these solutions were vast improvements from the early days of Lint-like scanning, the second generation of static program analysis was held back by the fact that they weren’t able to maintain a high level of accuracy in finding defects in large application with millions of lines of codes when they needed to scale.
The second generation of static analysis tools also moved to a later stage of the software development lifecycle as a part of the code audit, thus lengthening the time between when the code was written and when the bugs were identified and needed to be fixed. The time it takes to reacquaint developers with code that could be weeks, or even months, away from the time that they wrote resulted in much higher costs to the organization as the remediation process was often lengthy. Combined with budget and time constraints, there is no doubt that many issues which were, in fact, critical, could have made it into production simply because of scheduling pressures within the project’s management.
Third Generation Static Code Analysis
Today we live, and code, in the third generation of static code analysis where the proven accuracy of second-generation solutions was brought back into the hands of developers at earlier stages in the software development lifecycle. One of the hallmarks of modern static code analysis is the integration with the tools that developers are using. In this era of static code analysis, the developers play a larger role in application security and through tools like Checkmarx’s CxSAST their application security maturity increases as they become familiar with common errors in their code and fixing them as they code.
What is Code Review?
Code review, also known as peer review, is essentially a final check to ensure that an application is free of bugs and flaws, and matches the requirements and functionality set out by the customer.
Secure code review focuses on finding errors in authentication, authorization, security configuration, session management, logging, data validation, error handling, and encryption and can be done either manually or using an automatic solution. Since some applications have hundreds of thousands, or even millions of lines of codes that need to be reviewed, often organizations will choose to adopt a mixture of both automated and manual methodologies to ensure that the code review is both scalable and accurate.
Do I need to be doing Static Code Review?
If by “static code review,” you mean the combination of both static analysis and code review, the answer is a resounding YES. Source code analysis will allow your developers to identify and mitigate vulnerabilities during the earlier stages of the development process and a final, secure code review will let you sleep ever sounder at night knowing that your application has undergone a full, comprehensive security test before the application rolls out on production.
Which code review tools are you familiar with? Tell us in the comments below!
To gain a deeper understanding of secure code review best practices and learn the pros and cons of manual and automatic secure code reviews, be sure to read 5 Best Practices for the Perfect Secure Code Review