Static Analysis for Security

source-code security analysis with static analysis tools. Since ITS4's release in early 2000 (www.cigital.com/its4/), the idea of detecting security problems through source code has come of age. ITS4 is extremely simple—the tool basically scans through a file looking for syntactic matches based on several simple " rules " that might indicate possible security vulnera-bilities (for example, use of str-cpy() should be avoided). Much better approaches exist. Programmers make little mistakes all the time—a missing semicolon here, an extra parenthesis there. Most of the time, these gaffes are inconsequential; the compiler notes the error, the programmer fixes the code, and the development process continues. This quick cycle of feedback and response stands in sharp contrast to what happens with most security vulner-abilities, which can lie dormant (sometimes for years) before discovery. The longer a vulnerability lies dormant, the more expensive it can be to fix, and adding insult to injury, the programming community has a long history of repeating the same security-related mistakes. The promise of static analysis is to identify many common coding problems automatically before a program is released. Static analysis tools examine the text of a program statically, without attempting to execute it. Theoretically , they can examine either a pro-gram's source code or a compiled form of the program to equal benefit , although the problem of decoding the latter can be difficult. We'll focus on source code analysis here because that's where the most mature technology exists. Manual auditing, a form of static analysis, is very time-consuming , and to do it effectively, human code auditors must first know what security vulnerabilities look like before they can rigorously examine the code. Static analysis tools compare favorably to manual audits because they're faster, which means they can evaluate programs much more frequently, and they encapsulate security knowledge in a way that doesn't require the tool operator to have the same level of security expertise as a human auditor. Just as a programmer can rely on a compiler to consistently enforce the finer points of language syntax, the operator of a good static analysis tool can successfully apply that tool without being aware of the finer points of security bugs. Testing for security vulnerabili-ties is complicated by the fact that they often exist in hard-to-reach states or crop up in unusual circumstances. Static analysis tools can peer into more of a program's dark corners with less fuss than …