Friday, December 23, 2011

Think static analysis cures all ills? Think again.

Mark Pitchford

3/1/2011 11:15 AM EST

Static code analysis has been around as long as software itself, but you'd swear from current tradeshows that it was just invented. Here's how to choose the right code-analysis tools for your project.

Static analysis (or static code analysis) is a field full of contradictions and misconceptions. It's been around as long as software itself, but you'd swear from current trade shows that it was just invented. Static analysis checks the syntactic quality of high-level source code, and yet, as you can tell from listening to the recent buzz, its findings can be used to predict dynamic behavior. It is a precision tool in some contexts and yet in others, it harbors approximations.(read the article here)

I believe none of static analysis tool developer would claim that their tool can solve everything. Don't get the wrong idea, but static analysis is only a tool TO REDUCE (if not remove) software errors and possibility of the software being exploited. And based on my studies (I've published a paper entitled "Preventing Software Vulnerabilities - Why Static Analysis is ineffective"), it is not the tool that failed to deliver or to be blame 100%. The tool is also developed by human which the purpose is to reduce human error in programming. Thus, there will always be limitation on the tool. In addition, the tool are dependent on the technique implemented. Hence, there should be improvement on the technique or combination of multiple technique in a tool first.


Best static code analysis tools said...

Great blog. Static Code tools is very helpful and powerful tool. List of tools provided in this blog is very nice.

Share It

Popular Posts