SlideShare ist ein Scribd-Unternehmen logo

Best Practices of Static Code Analysis in the SDLC

P
Parasoft_Mitchell

Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set. For more information about Static Analysis please click on the link below. http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
Best Practices of Static Analysis in the SDLC Part 1 November 2010
Agenda 1. House Keeping - Certification Overview 2. Very Brief Parasoft Introduction 3. Today’s Agenda Parasoft Proprietary and Confidential
House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft Corporation Parasoft Proprietary and Confidential
Important Note This course is not designed to Teach how to do security Review (in depth) the reasons “why” we should have solid software Cover how-to use any specific tools This course is designed to Explain available SA techniques and what they’re used for Help avoid common pitfalls Provide in-depth examples of selected best practices and teach you how to optimize them for the software development environment Parasoft Proprietary and Confidential
About Parasoft Founded in 1987 27 Patents for automated quality processes Build quality into the process Static Analysis tools since 1994 Parasoft Proprietary and Confidential
Parasoft Capabilities Technologies Quality Policy Management Task Management Code Analysis – Pattern Based Code Analysis – Flow Based Code Analysis - Metrics Code Review Unit Testing Framework Memory Error Detection Runtime Analysis Message/Protocol Testing Application Behavior Emulation Functional Testing Load Testing Parasoft Proprietary and Confidential
Agenda for this session Define static analysis Define “false positives” Static analysis for Security Static analysis for defect prevention Static analysis for process improvement Parasoft Proprietary and Confidential
What IS Static Analysis? Variety of methods Peer Review / Manual Code Review / Code Inspection Pattern-based code scanners Flow-based code scanners Metrics-based code scanners Compiler / build output Parasoft Proprietary and Confidential
What is: Peer Code Review What: A human review process provides checks and balances for finding and preventing human mistakes. Why: Find defects early Find real functional problems Increase breadth of understanding Increase productivity Parasoft Proprietary and Confidential
Peer Code Review Review policies Coder / reviewer pairs QA reviewer / test review Frequency Scope Pre commit vs. post commit review Automation potential A system to enforce the review policy Track un-reviewed changes Facilitate non-blocking communication Parasoft Proprietary and Confidential
Methods of Code Review Code Review “in a room” Wastes time Developers are inhibited Using an automated infrastructure consistent Parasoft Proprietary and Confidential
Determining Reviewers Who reviews whom How close are they in the code? Increase code understanding Parasoft Proprietary and Confidential
What is: Pattern-Based SA What: Identify specific patterns in the code Why: Find bugs Ensure inclusion of required items Security Branding Prevent Problems Improve Developers Parasoft Proprietary and Confidential
Pattern-Based Static Analysis Quick scan to list possible problems Fixing violations prevents certain classes of errors Each source file is analyzed separately Static analysis categories include: Logical Errors API Misuse Typographical Errors Security Threads and Synchronization Performance and Optimization Parasoft Proprietary and Confidential
What is: Data Flow Analysis What: Simulate execution to find patterns Why: Find real bugs Parasoft Proprietary and Confidential
Data Flow Analysis Simulate hypothetical execution paths Detect possible errors along those paths Data flow analysis error categories include: Exceptions Optimization Resource Leaks API misuse Security Parasoft Proprietary and Confidential
What is: Code Metrics What: Measurement of code based on various statistics Why: Understanding code Possible problems Parasoft Proprietary and Confidential
Code Analysis Perceptions “Static analysis is a pain” False positives has varying definitions I don’t like it It was wrong Parasoft Proprietary and Confidential
Pattern based false positives True false positives generally rule deficiency Context Does this apply here and now? In-code suppressions to document decision Parasoft Proprietary and Confidential
Flow Analysis False Positives False positives are inevitable Finds real bugs Flow analysis is not comprehensive Parasoft Proprietary and Confidential
Static Analysis for Security Flow analysis finds low-hanging fruit Flow won’t guarantee security SA prevents security problems Input validation is key Parasoft Proprietary and Confidential
Static Analysis for Prevention It’s quicker to deal with false positives than bugs Flow analysis finds complicated problems Runtime analysis should match flow analysis Rules should be chosen based on real problems Parasoft Proprietary and Confidential
SA for Process Improvement Flow analysis won’t find everything Flow rules have corresponding pattern-based rules Prevent the potential rather than chase paths Parasoft Proprietary and Confidential
House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Process infrastructure Workflows Choosing the best configuration And more Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft Corporation Parasoft Proprietary and Confidential
Q&A Questions Parasoft Proprietary and Confidential
Further Reading Automated Defect Prevention (Huizinga & Kolawa) …Principles and processes to improve the software development process. Effective C++ / More Effective C++ (Meyers) …Definitive work on proper C++ design and programming. Effective Java (Bloch) …Best-practice solutions for programming challenges. Design Patterns (Gamma, Helm, Johnson, Vlissides) …Timeless and elegant solutions to common problems. Parasoft Proprietary and Confidential

Empfohlen

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisPrashant Gupta
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 

Empfohlen

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisPrashant Gupta
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Code Review
Code ReviewCode Review
Code Reviewrantav
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsСергей Гоменюк
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Aditya Bhuyan
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning TalkJonathan Gregory
 
Sonar
SonarSonar
Sonarprabakaranbrick
 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviewsSebastian Marek
 
Sonar Review
Sonar ReviewSonar Review
Sonar ReviewKate Semizhon
 
Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeAngelin R
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCASuman Sourav
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with SonarlintUT, San Antonio
 
Code Review
Code ReviewCode Review
Code ReviewTu Hoang
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessDr. Syed Hassan Amin
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisAnnyce Davis
 
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerStatic Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerIlya Sergey
 

Weitere ähnliche Inhalte

Was ist angesagt?

Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Code Review
Code ReviewCode Review
Code Reviewrantav
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Aditya Bhuyan
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning TalkJonathan Gregory
 
Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeAngelin R
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCASuman Sourav
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with SonarlintUT, San Antonio
 
Code Review
Code ReviewCode Review
Code ReviewTu Hoang
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessDr. Syed Hassan Amin
 

Was ist angesagt? (20)

Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Code Review
Code ReviewCode Review
Code Review
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review Checklist
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Review
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning Talk
 
Sonar
SonarSonar
Sonar
 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviews
 
Sonar Review
Sonar ReviewSonar Review
Sonar Review
 
Java Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQubeJava Source Code Analysis using SonarQube
Java Source Code Analysis using SonarQube
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
 
Code Review
Code ReviewCode Review
Code Review
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
 

Andere mochten auch

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisAnnyce Davis
 
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerStatic Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerIlya Sergey
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Codekirstysals
 
Doxygen 사용법
Doxygen 사용법Doxygen 사용법
Doxygen 사용법YoungSu Son
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationPavan M
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 

Andere mochten auch (13)

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell CompilerStatic Analysis and Code Optimizations in Glasgow Haskell Compiler
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Code
 
Doxygen 사용법
Doxygen 사용법Doxygen 사용법
Doxygen 사용법
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
OWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulationOWASP A1 - Injection | The art of manipulation
OWASP A1 - Injection | The art of manipulation
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 

Ähnlich wie Best Practices of Static Code Analysis in the SDLC

How to Select a Static Analysis Tool
How to Select a Static Analysis ToolHow to Select a Static Analysis Tool
How to Select a Static Analysis ToolParasoft_Mitchell
 
Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Engineering Software Lab
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareParasoft
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
How penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsHow penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsMarian Marinov
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Erika Barron
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application TestingHari Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesAmazon Web Services
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 

Ähnlich wie Best Practices of Static Code Analysis in the SDLC (20)

Parasoft fda software compliance part2
Parasoft fda software compliance part2Parasoft fda software compliance part2
Parasoft fda software compliance part2
 
How to Select a Static Analysis Tool
How to Select a Static Analysis ToolHow to Select a Static Analysis Tool
How to Select a Static Analysis Tool
 
Java Defects
Java DefectsJava Defects
Java Defects
 
Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
How penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsHow penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skills
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Zap attack proxy
Zap attack proxyZap attack proxy
Zap attack proxy
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application Testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 

Kürzlich hochgeladen

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Kürzlich hochgeladen (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

Best Practices of Static Code Analysis in the SDLC

  • 1. Best Practices of Static Analysis in the SDLC Part 1 November 2010
  • 2. Agenda 1. House Keeping - Certification Overview 2. Very Brief Parasoft Introduction 3. Today’s Agenda Parasoft Proprietary and Confidential
  • 3. House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft Corporation Parasoft Proprietary and Confidential
  • 4. Important Note This course is not designed to Teach how to do security Review (in depth) the reasons “why” we should have solid software Cover how-to use any specific tools This course is designed to Explain available SA techniques and what they’re used for Help avoid common pitfalls Provide in-depth examples of selected best practices and teach you how to optimize them for the software development environment Parasoft Proprietary and Confidential
  • 5. About Parasoft Founded in 1987 27 Patents for automated quality processes Build quality into the process Static Analysis tools since 1994 Parasoft Proprietary and Confidential
  • 6. Parasoft Capabilities Technologies Quality Policy Management Task Management Code Analysis – Pattern Based Code Analysis – Flow Based Code Analysis - Metrics Code Review Unit Testing Framework Memory Error Detection Runtime Analysis Message/Protocol Testing Application Behavior Emulation Functional Testing Load Testing Parasoft Proprietary and Confidential
  • 7. Agenda for this session Define static analysis Define “false positives” Static analysis for Security Static analysis for defect prevention Static analysis for process improvement Parasoft Proprietary and Confidential
  • 8. What IS Static Analysis? Variety of methods Peer Review / Manual Code Review / Code Inspection Pattern-based code scanners Flow-based code scanners Metrics-based code scanners Compiler / build output Parasoft Proprietary and Confidential
  • 9. What is: Peer Code Review What: A human review process provides checks and balances for finding and preventing human mistakes. Why: Find defects early Find real functional problems Increase breadth of understanding Increase productivity Parasoft Proprietary and Confidential
  • 10. Peer Code Review Review policies Coder / reviewer pairs QA reviewer / test review Frequency Scope Pre commit vs. post commit review Automation potential A system to enforce the review policy Track un-reviewed changes Facilitate non-blocking communication Parasoft Proprietary and Confidential
  • 11. Methods of Code Review Code Review “in a room” Wastes time Developers are inhibited Using an automated infrastructure consistent Parasoft Proprietary and Confidential
  • 12. Determining Reviewers Who reviews whom How close are they in the code? Increase code understanding Parasoft Proprietary and Confidential
  • 13. What is: Pattern-Based SA What: Identify specific patterns in the code Why: Find bugs Ensure inclusion of required items Security Branding Prevent Problems Improve Developers Parasoft Proprietary and Confidential
  • 14. Pattern-Based Static Analysis Quick scan to list possible problems Fixing violations prevents certain classes of errors Each source file is analyzed separately Static analysis categories include: Logical Errors API Misuse Typographical Errors Security Threads and Synchronization Performance and Optimization Parasoft Proprietary and Confidential
  • 15. What is: Data Flow Analysis What: Simulate execution to find patterns Why: Find real bugs Parasoft Proprietary and Confidential
  • 16. Data Flow Analysis Simulate hypothetical execution paths Detect possible errors along those paths Data flow analysis error categories include: Exceptions Optimization Resource Leaks API misuse Security Parasoft Proprietary and Confidential
  • 17. What is: Code Metrics What: Measurement of code based on various statistics Why: Understanding code Possible problems Parasoft Proprietary and Confidential
  • 18. Code Analysis Perceptions “Static analysis is a pain” False positives has varying definitions I don’t like it It was wrong Parasoft Proprietary and Confidential
  • 19. Pattern based false positives True false positives generally rule deficiency Context Does this apply here and now? In-code suppressions to document decision Parasoft Proprietary and Confidential
  • 20. Flow Analysis False Positives False positives are inevitable Finds real bugs Flow analysis is not comprehensive Parasoft Proprietary and Confidential
  • 21. Static Analysis for Security Flow analysis finds low-hanging fruit Flow won’t guarantee security SA prevents security problems Input validation is key Parasoft Proprietary and Confidential
  • 22. Static Analysis for Prevention It’s quicker to deal with false positives than bugs Flow analysis finds complicated problems Runtime analysis should match flow analysis Rules should be chosen based on real problems Parasoft Proprietary and Confidential
  • 23. SA for Process Improvement Flow analysis won’t find everything Flow rules have corresponding pattern-based rules Prevent the potential rather than chase paths Parasoft Proprietary and Confidential
  • 24. House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Process infrastructure Workflows Choosing the best configuration And more Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft Corporation Parasoft Proprietary and Confidential
  • 25. Q&A Questions Parasoft Proprietary and Confidential
  • 26. Further Reading Automated Defect Prevention (Huizinga & Kolawa) …Principles and processes to improve the software development process. Effective C++ / More Effective C++ (Meyers) …Definitive work on proper C++ design and programming. Effective Java (Bloch) …Best-practice solutions for programming challenges. Design Patterns (Gamma, Helm, Johnson, Vlissides) …Timeless and elegant solutions to common problems. Parasoft Proprietary and Confidential