Product Security Glossary
Source Code Analysis
What is source code analysis?
Source code analysis, also known as static code analysis, involves using automated testing methods to find programming errors in a program’s source code. The goal is to find these errors, which could problems with either performance or security, and fix them before the software goes on sale.
How does source code analysis work?
Automated testing programs examine the source code of a new program, looking for problems that are defined in the testing program’s ruleset. At this stage, the program under test hasn’t been compiled, so there’s no need to build test cases to run the program against.
Why is source code analysis important?
Programmers are human, just like the rest of us. As any other human would do, programmers make mistakes. In program source code, errors could result in security problems such as the following:
- Improper memory allocation
- Buffer overflows
- Untidy pointers
- SQL Injection
- Stack overflows
- Integer overflows
- Race conditions
- Input validation
Any of these problems could present a vulnerability that could be exploited by a malicious actor. Once an attacker has exploited a vulnerability, he or she could steal sensitive data, plant cryptocoin mining software, join the machine to a botnet, crash the system, or any of a number of other attacks.
These types of errors aren’t always obvious to the human eye. However, an automated source code analysis program could find them.
What types of source code analysis programs are available?
There are two general types of source code analysis programs.
The interprocedural type, which is older and simpler, tries to detect patterns from one function to the next one. It will then use these patterns to create a simulated execution path.
The intraprocedural type is more modern and a bit more complex. It allows the user to define what types patterns that the analyzer should detect.
What are the strengths and weaknesses of source code analysis?
Source code analysis is great for finding common programming errors. But, source code analyzers are only as good as the ruleset that they’re using. Having an improperly designed ruleset could cause the analyzer to either miss legitimate problems or report problems that don’t exist. Also, source code analysis only deals with how the programming language is implemented in the source code. It can’t detect problems with architectural or design flaws. Amazingly enough, it can’t even detect when passwords or other sensitive data have been embedded into the source code. For this reason, an automated source code analysis should also be accompanied by a manual review of the code. The bottom line here is that source code analyzers can catch errors that humans might miss, but humans can catch errors that the source code analyzers can’t catch. So, even though automated source code analysis does have a few weaknesses, it’s still an invaluable part of the overall software design lifecycle.