What is Static Code analysis
Static Code analysis(Source code analysis) is usually performed as part of Code review and carried out at the software implementation phase of a Secure Software Development life Cycle (Secure SDLC).Static code analysis falls under white Box testing when considering different type of the testing approaches.Static code analysis commonly refer to running of Static Code Analysis tool and attempt to find out possible vulnerabilities.
Note: program(Source Code) isn’t run in Static code analysis and if run and test the analysis falls under Dynamic Analysis
Secure software Development Life cycle
Static code analysis lab with Find Sec bug
Eclipse is to be used to static analysis with find sec bug
1. Installation of FindBugs plugin
The recommended configuration to use with Find Security Bugs is to limit the scan to Security only bug detectors. Go to Eclipse -> Preferences (Mac) or Window -> Preferences (Windows). Then go to Java -> FindBugs, and make only “Security” is checked on the “Reporting configuration” tab’s “Reported (visible) bug categories” list.
3.Find out Vulnerability