22 static analysis tools.pptx
DESCRIPTION
Part of the Web Application Security CourseTRANSCRIPT
![Page 1: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/1.jpg)
Static Code Analysis
Security checking your source code
![Page 2: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/2.jpg)
Sources of weaknesses
![Page 3: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/3.jpg)
How we protect ourselves
o Do not rely on merely your own ability to detect insecure code.
o Use a program which will reliably check according to a predefined set of security rules.
![Page 4: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/4.jpg)
Security Testing can be static or dynamic
Static tools o Scan source code o Before deployment o Find potential
holes from a list of known vectors
o Called static code analysis
o Negative testing
Dynamic tools o Scan site o After deployment o Find actual holes
from previously unknown vectors
o Called security scanning or penetration testing
o Positive testing
![Page 5: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/5.jpg)
There are many static analyzers
![Page 6: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/6.jpg)
So, how do I pick one? o Coverage o Performance o Completeness o Accuracy o Customizability o Repeatability o Deployment o Usability o Reports o Security o Cost
![Page 7: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/7.jpg)
Codename: FXCop
Job Description: Scan and analyze code. Report on problems.
![Page 8: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/8.jpg)
FXCop needs rules
o Download and install the latest rules from Microsoft.
![Page 9: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/9.jpg)
To start it, go Build – Run Code Analysis
![Page 10: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/10.jpg)
The problems show up as build warnings
![Page 11: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/11.jpg)
Some warnings are very detailed.
![Page 12: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/12.jpg)
You can choose which rules run in Project-Properties
![Page 13: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/13.jpg)
We should enable it to run upon build.
![Page 14: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/14.jpg)
Also make it part of check-in.
When checking in code, it can halt progress until it passes the code analysis.
![Page 15: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/15.jpg)
What if I don’t have Premium or Ultimate? Download the Windows 7 SDK.
But it runs from the command line, not integrated.
![Page 16: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/16.jpg)
We can also get new rules sets
o http://fxcopASPNETSecurity.codeplex.com
![Page 17: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/17.jpg)
Additional rules flag new findings
o Before:
o After:
![Page 18: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/18.jpg)
Since the rules may come up with false positives and false negatives, we can tune
them
o Add new rules o Delete/disable existing rules o Change the rules
![Page 19: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/19.jpg)
Summary
o Static analysis tools check your source code for known vulnerabilities
o Analysis should be run automatically on compile and/or code check-in.
o VS 2010’s Code Analysis tool is easy and thorough.
![Page 20: 22 static analysis tools.pptx](https://reader034.vdocument.in/reader034/viewer/2022051513/547b6299b4af9fda158b4e89/html5/thumbnails/20.jpg)
Further study
o List of static analysis tools: o http://bit.ly/StaticAnalysisTools
o Nice overview of VS Code Analysis Tool: • http://bit.ly/VSCodeAnalysisTool
o Security rules package for Code Analysis: • http://FXCopAspNetSecurity.Codeplex.com