SlideShare ist ein Scribd-Unternehmen logo

Static Code Analysis

Als PPTX, PDF herunterladen
Obika Gellineau
Obika Gellineau

This session will give an overview of Static Code Analysis, its impact on the SDLC, its benefits and problems, the various automated tools used, and a demonstration of the code analysis of a Javascript web application using Sonarqube.

Software
1 von 12
Static Code Analysis Caribbean Developer Week 2018 Presenter: Obika Gellineau
Agenda  What is Static Code Analysis?  Manual vs. Automated  Benefits of Static Code Analysis  Problems with Static Code Analysis  SDLC and Security  Automated Static Code Analysis Tools  Demo  Key Takeaways
What is Static Code Analysis?  Examination of source code without executing the program.  It’s a method of computer program debugging.  Web and non-web applications can be evaluated.  Commonly known as “White-box” testing.
What is Static Code Analysis?  Can be done manually or through the use of automated tools.  Testers must understand code structure and be familiar with the source code’s programming language idiosyncrasies.  Used to detect flaws in software’s inputs and outputs that cannot be seen by dynamic scanning.
Manual vs. Automated Manual Code Review • Involves peer reviews • Developer must walkthrough the code with reviewer • Multiple participants and phases Automated Code Review • Involves automated software tools • Developer does not require walkthrough session • Multiple phases and minimal participation Note:  Both involve the use of pattern and lexical analysis to find bugs, software vulnerabilities and logic flaws.  Both are preventative measures for reducing bugs and security issues.
Benefits of Static Code Analysis Manual • Improves coding quality. • Knowledge of application functionality is shared. • Review allows senior developer to improve junior developer’s competency. • “Two eyes are better than one”. Automated • Any developer can do it • Saves a lot of time for developers • Scanning is effortless • Ideal for Agile and DevOps SDLC • Ideal for Continuous Integration
Problems with Static Code Analysis Manual • Reliant on senior developers and/or quality assurance staff to perform review. • Manual reviews can be time consuming. • Not ideal for Agile and DevOps SDLC. • Review cannot be done by one person. Automated • Too many false positives. (warnings are usually safe to ignore) • Extensive scan times when not optimized. • Automated tools are only as good as the rules used to detect vulnerabilities.
SDLC and Security ---- Traditional Agile DevOps Method Waterfall Scrum “End-to-End” Phases Requirements, Design, Development, Testing Deployment Requirements, Plan, Design, Develop, Release, Track & Monitor Plan, Code, Build, Test, Release, Deploy, Operate, Monitor, and go again….. Overall Process • Complete Requirements are clear and fixed • Product definition is stable • Requirements change frequently • Development needs to be fast • Requirements change frequently • Development needs to be Agile • Operations needs to be Agile Business Impact • Feedback from customer • Longer Release cycles • Feedback from customer • Smaller release cycles • Focus on speed • Feedback from self • Smaller release cycles with feedback • Focus on speed and automation Security • Security defined during “Requirements” Phase. • Static Code Analysis performed during “Development” and “Testing” phases. • Security defined during “Requirements” Phase. • Static Code Analysis performed during phase. • Security defined during “Plan” Phase. • Continuous / Automated Tool Dependent.
Automated Static Code Analysis Tools Languages Supported Open Source Commercial C++ Cppcheck, cpplint, flawfinder CppDepend, Polyspace Code Prover PHP RIPS, PHPMD ---- Javascript / NodeJS NodeJSScan, jshint, eslint, retire.js DeepScan, JSLint Python pylint, bandit, jedi ---- Java FindBugs, FindSecurityBugs, checkstyle, OWASP Dependency Check, JBMC JArchitect dotNET Security Code Scan, CSharpEssentials, Roslyn Security Guard CodeRush, ReSharper Ruby / RoR brakeman, ruby-lint ---- Multiple Sonarqube, PMD, Yasca, coala Fortify, Checkmarx, Veracode, Kiuwan, AppScan
Demo  Static code Analysis of OWASP vulnerable application named JuiceShop (7.3.0).  Automated tool is SonarQube 6.7.4 LTS.  Installation on Windows 10 with MySQL 5.3 Database and Oracle JDK 8.
Key Takeaways  To improve the quality of code, reduce software bugs, mitigate security vulnerabilities and avoid logic flaws; developers can take proactive actions through static code analysis.  Manual reviews and Automated tools are available to assist developers, but corrective actions must be taken when issues are identified.  Static Code Analysis is a good proactive measure, but always remember to include dynamic testing to identify security vulnerabilities during runtime.  Security must be integrated into all phases of the SDLC (especially at the start) and not be an afterthought.
Q&A

Empfohlen

How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
SonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionSonarQube: Continuous Code Inspection
SonarQube: Continuous Code Inspection
Michael Jesse
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best Practices
Trisha Gee
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Code Review
Code ReviewCode Review
Code Review
R M Shahidul Islam Shahed
 
Clean Code I - Best Practices
Clean Code I - Best PracticesClean Code I - Best Practices
Clean Code I - Best Practices
Theo Jungeblut
 
Sonarlint
SonarlintSonarlint
Sonarlint
penetration Tester
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
Mattia Battiston
 

Empfohlen

How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
SonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionSonarQube: Continuous Code Inspection
SonarQube: Continuous Code Inspection
Michael Jesse
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best Practices
Trisha Gee
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Code Review
Code ReviewCode Review
Code Review
R M Shahidul Islam Shahed
 
Clean Code I - Best Practices
Clean Code I - Best PracticesClean Code I - Best Practices
Clean Code I - Best Practices
Theo Jungeblut
 
Sonarlint
SonarlintSonarlint
Sonarlint
penetration Tester
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
Mattia Battiston
 
SonarQube Presentation.pptx
SonarQube Presentation.pptxSonarQube Presentation.pptx
SonarQube Presentation.pptx
Satwik Bhupathi Raju
 
Managing code quality with SonarQube
Managing code quality with SonarQubeManaging code quality with SonarQube
Managing code quality with SonarQube
Radu Vunvulea
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
Hoang Le
 
Code review
Code reviewCode review
Code review
Abhishek Sur
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
Diego Gabriel Cardoso
 
Modern Python Testing
Modern Python TestingModern Python Testing
Modern Python Testing
Alexander Loechel
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
UT, San Antonio
 
Git Branching – the battle of the ages
Git Branching – the battle of the agesGit Branching – the battle of the ages
Git Branching – the battle of the ages
Jasmin Fluri
 
Continuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeContinuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQube
Emre Dündar
 
Clean Code
Clean CodeClean Code
Clean Code
Hendrik Ebel
 
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
Simplilearn
 
SOLID Principles and The Clean Architecture
SOLID Principles and The Clean ArchitectureSOLID Principles and The Clean Architecture
SOLID Principles and The Clean Architecture
Mohamed Galal
 
Git interview questions | Edureka
Git interview questions | EdurekaGit interview questions | Edureka
Git interview questions | Edureka
Edureka!
 
Cucumber BDD
Cucumber BDDCucumber BDD
Cucumber BDD
Pravin Dsilva
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
Naresh Jain
 
Sdlc
SdlcSdlc
Sdlc
meenakshi sv
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
Diego Gabriel Cardoso
 
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
Simplilearn
 

Was ist angesagt? (20)

SonarQube Presentation.pptx
SonarQube Presentation.pptxSonarQube Presentation.pptx
SonarQube Presentation.pptx
 
Managing code quality with SonarQube
Managing code quality with SonarQubeManaging code quality with SonarQube
Managing code quality with SonarQube
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
 
Code review
Code reviewCode review
Code review
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
 
Modern Python Testing
Modern Python TestingModern Python Testing
Modern Python Testing
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
 
Git Branching – the battle of the ages
Git Branching – the battle of the agesGit Branching – the battle of the ages
Git Branching – the battle of the ages
 
Continuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeContinuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQube
 
Clean Code
Clean CodeClean Code
Clean Code
 
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
 
SOLID Principles and The Clean Architecture
SOLID Principles and The Clean ArchitectureSOLID Principles and The Clean Architecture
SOLID Principles and The Clean Architecture
 
Git interview questions | Edureka
Git interview questions | EdurekaGit interview questions | Edureka
Git interview questions | Edureka
 
Cucumber BDD
Cucumber BDDCucumber BDD
Cucumber BDD
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CD
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
 
Sdlc
SdlcSdlc
Sdlc
 

Ähnlich wie Static Code Analysis

Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineering
gaoliang641
 
Ady beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdeliveryAdy beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdelivery
Romania Testing
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 

Ähnlich wie Static Code Analysis (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0
 
Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineering
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot iv
 
Rtc2014 automate the_process_deliver_quality_ady_beleanu
Rtc2014 automate the_process_deliver_quality_ady_beleanuRtc2014 automate the_process_deliver_quality_ady_beleanu
Rtc2014 automate the_process_deliver_quality_ady_beleanu
 
Ady beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdeliveryAdy beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdelivery
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 

Mehr von Obika Gellineau

Mehr von Obika Gellineau (6)

Securing Infrastructure as a Code - DevFest 2022 Presentation
Securing Infrastructure as a Code - DevFest 2022 PresentationSecuring Infrastructure as a Code - DevFest 2022 Presentation
Securing Infrastructure as a Code - DevFest 2022 Presentation
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
 
Robotic Process Automation Development
Robotic Process Automation DevelopmentRobotic Process Automation Development
Robotic Process Automation Development
 
Capital One Data Breach
Capital One Data BreachCapital One Data Breach
Capital One Data Breach
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing Security
 

Kürzlich hochgeladen

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Kürzlich hochgeladen (20)

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 

Static Code Analysis

  • 1. Static Code Analysis Caribbean Developer Week 2018 Presenter: Obika Gellineau
  • 2. Agenda  What is Static Code Analysis?  Manual vs. Automated  Benefits of Static Code Analysis  Problems with Static Code Analysis  SDLC and Security  Automated Static Code Analysis Tools  Demo  Key Takeaways
  • 3. What is Static Code Analysis?  Examination of source code without executing the program.  It’s a method of computer program debugging.  Web and non-web applications can be evaluated.  Commonly known as “White-box” testing.
  • 4. What is Static Code Analysis?  Can be done manually or through the use of automated tools.  Testers must understand code structure and be familiar with the source code’s programming language idiosyncrasies.  Used to detect flaws in software’s inputs and outputs that cannot be seen by dynamic scanning.
  • 5. Manual vs. Automated Manual Code Review • Involves peer reviews • Developer must walkthrough the code with reviewer • Multiple participants and phases Automated Code Review • Involves automated software tools • Developer does not require walkthrough session • Multiple phases and minimal participation Note:  Both involve the use of pattern and lexical analysis to find bugs, software vulnerabilities and logic flaws.  Both are preventative measures for reducing bugs and security issues.
  • 6. Benefits of Static Code Analysis Manual • Improves coding quality. • Knowledge of application functionality is shared. • Review allows senior developer to improve junior developer’s competency. • “Two eyes are better than one”. Automated • Any developer can do it • Saves a lot of time for developers • Scanning is effortless • Ideal for Agile and DevOps SDLC • Ideal for Continuous Integration
  • 7. Problems with Static Code Analysis Manual • Reliant on senior developers and/or quality assurance staff to perform review. • Manual reviews can be time consuming. • Not ideal for Agile and DevOps SDLC. • Review cannot be done by one person. Automated • Too many false positives. (warnings are usually safe to ignore) • Extensive scan times when not optimized. • Automated tools are only as good as the rules used to detect vulnerabilities.
  • 8. SDLC and Security ---- Traditional Agile DevOps Method Waterfall Scrum “End-to-End” Phases Requirements, Design, Development, Testing Deployment Requirements, Plan, Design, Develop, Release, Track & Monitor Plan, Code, Build, Test, Release, Deploy, Operate, Monitor, and go again….. Overall Process • Complete Requirements are clear and fixed • Product definition is stable • Requirements change frequently • Development needs to be fast • Requirements change frequently • Development needs to be Agile • Operations needs to be Agile Business Impact • Feedback from customer • Longer Release cycles • Feedback from customer • Smaller release cycles • Focus on speed • Feedback from self • Smaller release cycles with feedback • Focus on speed and automation Security • Security defined during “Requirements” Phase. • Static Code Analysis performed during “Development” and “Testing” phases. • Security defined during “Requirements” Phase. • Static Code Analysis performed during phase. • Security defined during “Plan” Phase. • Continuous / Automated Tool Dependent.
  • 9. Automated Static Code Analysis Tools Languages Supported Open Source Commercial C++ Cppcheck, cpplint, flawfinder CppDepend, Polyspace Code Prover PHP RIPS, PHPMD ---- Javascript / NodeJS NodeJSScan, jshint, eslint, retire.js DeepScan, JSLint Python pylint, bandit, jedi ---- Java FindBugs, FindSecurityBugs, checkstyle, OWASP Dependency Check, JBMC JArchitect dotNET Security Code Scan, CSharpEssentials, Roslyn Security Guard CodeRush, ReSharper Ruby / RoR brakeman, ruby-lint ---- Multiple Sonarqube, PMD, Yasca, coala Fortify, Checkmarx, Veracode, Kiuwan, AppScan
  • 10. Demo  Static code Analysis of OWASP vulnerable application named JuiceShop (7.3.0).  Automated tool is SonarQube 6.7.4 LTS.  Installation on Windows 10 with MySQL 5.3 Database and Oracle JDK 8.
  • 11. Key Takeaways  To improve the quality of code, reduce software bugs, mitigate security vulnerabilities and avoid logic flaws; developers can take proactive actions through static code analysis.  Manual reviews and Automated tools are available to assist developers, but corrective actions must be taken when issues are identified.  Static Code Analysis is a good proactive measure, but always remember to include dynamic testing to identify security vulnerabilities during runtime.  Security must be integrated into all phases of the SDLC (especially at the start) and not be an afterthought.
  • 12. Q&A