Static Code Analysis is typically carried out at the Implementation phase of a Security Development Lifecycle (SDL) as part of a Code Review. By using methods like Taint Analysis and Data Flow Analysis, static code analysis tools are typically run in an effort to identify potential security flaws in "static" (non-running) source code. Along with source code analysis, the terms static analysis and static code analysis are frequently used interchangeably. This kind of study focuses on source code flaws that could result in vulnerabilities. Of course, manual code reviews can also be used to do this. The use of automated tools, however, is far more efficient.


Techniques


Control Flow Graph (CFG)

An abstract graph that represents software through nodes that stand in for fundamental building pieces. A block is represented by a node in a graph, and jumps (paths) between blocks are represented by directed edges. An "exit" block is one where a node only has an exit edge, and a "entry" block is one where a node only has an entry edge.


Flow Analysis of Data

When software is in a static state, data flow analysis is used to gather run-time (dynamic) information on the data within the software. The words "basic block" (the code), "control flow analysis" (the data flow), and "control flow path" are frequently used in data flow analysis.


Lexical Evaluation

In an effort to abstract source code and make it simpler to handle, lexical analysis breaks down source code syntax into 'tokens' of data.


Taint Evaluation

Taint analysis seeks to locate variables that have been "tainted" by user-controllable input and link them to potential weak points, also referred to as "sinks" A vulnerability is shown if the contaminated variable is sent to a sink without first being cleaned. Taint Checking is a feature that is integrated into some programming languages like Perl and Ruby and is turned on in scenarios like accepting data via CGI.