Static Code Analysis - Overview

Static code analysis is performed as part of Code Review (also known as white-box testing) in the SDLC . This is done to highlight possible vulnerabilities within source code. Many tools are available in the industry to capture such vulnerabilities before in hand automatically and provide immediate feedback to developer on code quality & security flaws during development itself which will be helpful.

How it will be done automatically is through the following techniques: Data Flow Analysis, Control Flow Graph, Taint analysis and Lexical Analysis. Data Flow Analysis collects runtime information of the data (flow of data). Control Flow Graph is a representation of software to identify paths traversed through the program during execution. Taint Analysis is a method to identify variables that can be changed by user input and check whether it’s potential to have vulnerability. Lexical analysis converts source code syntax into tokens of information in an attempt to abstract source code and make it easier to manipulate.

This analysis can produce false positive as well as negative results because the tool cannot be sure of integrity and security of the data flow through application from input to output. There is no 100% guarantee that tool will help to eliminate all vulnerabilities but helps majorly to identify things early at the development stages itself and covers majority of the issues.

How to select tool can be based on the following parameters:

  • Integration with IDE
  • Licensed or Open Source
  • Types of vulnerabilities it can detect (OWASP Top 10 / Seven Deadly Sins of Quality)

OWASP is nothing, but Open Web Application Security Project community dedicated for web application security and t the op 10 flaws are given below:

  1. Injection - Flaws like SQL Injection allowing attacker to steal information through queries.

  2. Broken Authentication & Session Management - Improper implementation of authentication /authorization which allows attacker to compromise on passwords, keys or session tokens.

  3. Cross-Site scripting ( XSS) - Flaw that allows untrusted data and send it to web browser without proper validation. This allows attacker to execute scripts in victim’s browser.

  4. Insecure direct object references - File/Database or directory object references in code without any proper access validation then it will allow attacker to manipulate and get unauthorized data.

  5. Security Misconfiguration - Secure settings can’t be default which is insecure and have to be defined for web server, application, database server.

  6. Sensitive Data Exposure - Sensitive data like credit card & customer profile information when used has to be encrypted and kept secure otherwise attacker will easily manipulate to steal the data.

  7. Missing Function Level Access Control - Application has to be verify function level access when it s accessed by UI and has to be configured. Otherwise attacker will forge request in order to access it.

  8. Cross Site Request Forgery - Forces logged on victim’s browser to send forged HTTP request to another vulnerable website.

  9. Using Components with known vulnerabilities - Applications using components with known vulnerabilities[Always run with full privileges] may undermine application defenses and enable a range of possible attacks and impacts.

  10. Unvalidated Redirects & Forwards - Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Seven deadly sins of Quality

  1. Duplicated code
  2. Coding standards
  3. Unit tests
  4. Complex code
  5. Potential bugs
  7. Design and architecture

Some of the static code analysis tools for .NET are the following:

Code Security Tools

  • Fortify
  • Veracode
  • Microsoft CAT.NET
  • Coverity Security Analyser

Code Quality Tools

  • Resharper
  • NDepend
  • SonarQube
  • Microsoft FxCop
  • Parasoft