Static and dynamic code analysis: A key factor for application security success

April 30th, 2006 · No Comments

With increased reliance on the Web and the growth in Web application-based attacks, Bill Gates’ call for companies to strive for excellence in security engineering at all stages of development was timely, if not overdue. In an effort to share best practices for developing secure code, Microsoft released their Security Development Lifecycle (SDL). SDL subjects products to static and dynamic code analysis to test for technical and logical vulnerabilities, and determine if products can withstand malicious attacks. Let’s look at the benefits of adding this process to your application security strategy.

Static analysis involves reviewing an application’s source code without executing the application itself using automated tools that analyze what the code does during every potential program execution. This allows the programmers to create diagrammatic or graphical representations of the code, which gives them a better understanding of the executed code’s effects. It is then necessary to have experienced developers analyze the results and examine any suspect source code to remove the coding errors. While program compilers only identify language rule violations, such as type violations and syntax errors, static analysis checks the source code for problems such as semantical errors that pass through compilers and result in problems such as buffer overruns, invalid pointer references, uninitialized variables and other vulnerabilities. Static and dynamic code analysis: A key factor for application security success

From around the Web

0 comments for this entry ↓

There are no comments yet for this entry.

You must log in to post a comment.

The Network Security. Org