Static Code analysis

What is Static Code analysis 

Static Code analysis(Source code analysis) is usually performed as part of Code review and carried out at the software implementation phase of a Secure Software Development life Cycle (Secure SDLC).Static code analysis falls under white Box testing when considering  different type of the testing approaches.Static code analysis commonly refer to running of Static Code Analysis tool and attempt to find out possible vulnerabilities.

Note: program(Source Code) isn’t  run in Static code analysis and if run and test the analysis falls under Dynamic Analysis

Secure software Development Life cycle 

Secure SDLC

Static code analysis lab with Find Sec bug

Eclipse is to be used to static analysis with find sec bug

ix1

1. Installation of FindBugs plugin

01_eclipse_marketplace

2. Configuration

The recommended configuration to use with Find Security Bugs is to limit the scan to Security only bug detectors. Go to Eclipse -> Preferences (Mac) or Window -> Preferences (Windows). Then go to Java -> FindBugs, and make only “Security” is checked on the “Reporting configuration” tab’s “Reported (visible) bug categories” list.

findsec bug

3.Find out Vulnerability

07_scan_fsb

08_result

reference

https://www.owasp.org/index.php/Static_Code_Analysis

http://searchwindevelopment.techtarget.com/definition/static-analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s