SlideShare une entreprise Scribd logo

Static Code Analysis

Télécharger en tant que PPTX, PDF
Obika Gellineau
Obika Gellineau

This session will give an overview of Static Code Analysis, its impact on the SDLC, its benefits and problems, the various automated tools used, and a demonstration of the code analysis of a Javascript web application using Sonarqube.

Logiciels
1  sur  12
Static Code Analysis Caribbean Developer Week 2018 Presenter: Obika Gellineau
Agenda  What is Static Code Analysis?  Manual vs. Automated  Benefits of Static Code Analysis  Problems with Static Code Analysis  SDLC and Security  Automated Static Code Analysis Tools  Demo  Key Takeaways
What is Static Code Analysis?  Examination of source code without executing the program.  It’s a method of computer program debugging.  Web and non-web applications can be evaluated.  Commonly known as “White-box” testing.
What is Static Code Analysis?  Can be done manually or through the use of automated tools.  Testers must understand code structure and be familiar with the source code’s programming language idiosyncrasies.  Used to detect flaws in software’s inputs and outputs that cannot be seen by dynamic scanning.
Manual vs. Automated Manual Code Review • Involves peer reviews • Developer must walkthrough the code with reviewer • Multiple participants and phases Automated Code Review • Involves automated software tools • Developer does not require walkthrough session • Multiple phases and minimal participation Note:  Both involve the use of pattern and lexical analysis to find bugs, software vulnerabilities and logic flaws.  Both are preventative measures for reducing bugs and security issues.
Benefits of Static Code Analysis Manual • Improves coding quality. • Knowledge of application functionality is shared. • Review allows senior developer to improve junior developer’s competency. • “Two eyes are better than one”. Automated • Any developer can do it • Saves a lot of time for developers • Scanning is effortless • Ideal for Agile and DevOps SDLC • Ideal for Continuous Integration
Problems with Static Code Analysis Manual • Reliant on senior developers and/or quality assurance staff to perform review. • Manual reviews can be time consuming. • Not ideal for Agile and DevOps SDLC. • Review cannot be done by one person. Automated • Too many false positives. (warnings are usually safe to ignore) • Extensive scan times when not optimized. • Automated tools are only as good as the rules used to detect vulnerabilities.
SDLC and Security ---- Traditional Agile DevOps Method Waterfall Scrum “End-to-End” Phases Requirements, Design, Development, Testing Deployment Requirements, Plan, Design, Develop, Release, Track & Monitor Plan, Code, Build, Test, Release, Deploy, Operate, Monitor, and go again….. Overall Process • Complete Requirements are clear and fixed • Product definition is stable • Requirements change frequently • Development needs to be fast • Requirements change frequently • Development needs to be Agile • Operations needs to be Agile Business Impact • Feedback from customer • Longer Release cycles • Feedback from customer • Smaller release cycles • Focus on speed • Feedback from self • Smaller release cycles with feedback • Focus on speed and automation Security • Security defined during “Requirements” Phase. • Static Code Analysis performed during “Development” and “Testing” phases. • Security defined during “Requirements” Phase. • Static Code Analysis performed during phase. • Security defined during “Plan” Phase. • Continuous / Automated Tool Dependent.
Automated Static Code Analysis Tools Languages Supported Open Source Commercial C++ Cppcheck, cpplint, flawfinder CppDepend, Polyspace Code Prover PHP RIPS, PHPMD ---- Javascript / NodeJS NodeJSScan, jshint, eslint, retire.js DeepScan, JSLint Python pylint, bandit, jedi ---- Java FindBugs, FindSecurityBugs, checkstyle, OWASP Dependency Check, JBMC JArchitect dotNET Security Code Scan, CSharpEssentials, Roslyn Security Guard CodeRush, ReSharper Ruby / RoR brakeman, ruby-lint ---- Multiple Sonarqube, PMD, Yasca, coala Fortify, Checkmarx, Veracode, Kiuwan, AppScan
Demo  Static code Analysis of OWASP vulnerable application named JuiceShop (7.3.0).  Automated tool is SonarQube 6.7.4 LTS.  Installation on Windows 10 with MySQL 5.3 Database and Oracle JDK 8.
Key Takeaways  To improve the quality of code, reduce software bugs, mitigate security vulnerabilities and avoid logic flaws; developers can take proactive actions through static code analysis.  Manual reviews and Automated tools are available to assist developers, but corrective actions must be taken when issues are identified.  Static Code Analysis is a good proactive measure, but always remember to include dynamic testing to identify security vulnerabilities during runtime.  Security must be integrated into all phases of the SDLC (especially at the start) and not be an afterthought.
Q&A

Recommandé

How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with SonarlintUT, San Antonio
 
Sonarqube
SonarqubeSonarqube
SonarqubePeerapat Asoktummarungsri
 
SonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionSonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionMichael Jesse
 
Track code quality with SonarQube
Track code quality with SonarQubeTrack code quality with SonarQube
Track code quality with SonarQubeDmytro Patserkovskyi
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
SonarQube Overview
SonarQube OverviewSonarQube Overview
SonarQube OverviewAhmed M. Gomaa
 
Test Automation Pyramid
Test Automation PyramidTest Automation Pyramid
Test Automation PyramidT. Alexander Lystad
 

Recommandé

How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with SonarlintUT, San Antonio
 
Sonarqube
SonarqubeSonarqube
SonarqubePeerapat Asoktummarungsri
 
SonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionSonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionMichael Jesse
 
Track code quality with SonarQube
Track code quality with SonarQubeTrack code quality with SonarQube
Track code quality with SonarQubeDmytro Patserkovskyi
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerManu Pk
 
SonarQube Overview
SonarQube OverviewSonarQube Overview
SonarQube OverviewAhmed M. Gomaa
 
Test Automation Pyramid
Test Automation PyramidTest Automation Pyramid
Test Automation PyramidT. Alexander Lystad
 
Tech Talk #5 : Code Analysis SonarQube - Lương Trọng Nghĩa
Tech Talk #5 : Code Analysis SonarQube - Lương Trọng NghĩaTech Talk #5 : Code Analysis SonarQube - Lương Trọng Nghĩa
Tech Talk #5 : Code Analysis SonarQube - Lương Trọng NghĩaNexus FrontierTech
 
SonarQube
SonarQubeSonarQube
SonarQubeGnanaseelan Jeb
 
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualitySonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualityLarry Nung
 
Static code analysis with sonar qube
Static code analysis with sonar qubeStatic code analysis with sonar qube
Static code analysis with sonar qubeHayi Nukman
 
Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 
Ai in software automation testing - testim.io
Ai in software automation testing - testim.ioAi in software automation testing - testim.io
Ai in software automation testing - testim.ioAliaa Monier Ismaail
 
Applitools Visual AI Overview.pdf
Applitools Visual AI Overview.pdfApplitools Visual AI Overview.pdf
Applitools Visual AI Overview.pdfApplitools
 
IPC: AIDL is sexy, not a curse
IPC: AIDL is sexy, not a curseIPC: AIDL is sexy, not a curse
IPC: AIDL is sexy, not a curseYonatan Levin
 
GIT presentation
GIT presentationGIT presentation
GIT presentationNaim Latifi
 
Software Testing and Quality Assurance Assignment 3
Software Testing and Quality Assurance Assignment 3Software Testing and Quality Assurance Assignment 3
Software Testing and Quality Assurance Assignment 3Gurpreet singh
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CDSteve Mactaggart
 
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games Conference
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games ConferenceKGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games Conference
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games ConferenceXionglong Jin
 
Tracking and improving software quality with SonarQube
Tracking and improving software quality with SonarQubeTracking and improving software quality with SonarQube
Tracking and improving software quality with SonarQubePatroklos Papapetrou (Pat)
 
Sonarqube
SonarqubeSonarqube
SonarqubeCDS
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "Innovation Roots
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
SonarQube: ¿cómo de malo es mi software?
SonarQube: ¿cómo de malo es mi software?SonarQube: ¿cómo de malo es mi software?
SonarQube: ¿cómo de malo es mi software?Tomás Moreno Bernal
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning TalkJonathan Gregory
 
Introduction to git flow
Introduction to git flowIntroduction to git flow
Introduction to git flowKnoldus Inc.
 
Web sockets in Angular
Web sockets in AngularWeb sockets in Angular
Web sockets in AngularYakov Fain
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 

Contenu connexe

Tendances

Tech Talk #5 : Code Analysis SonarQube - Lương Trọng Nghĩa
Tech Talk #5 : Code Analysis SonarQube - Lương Trọng NghĩaTech Talk #5 : Code Analysis SonarQube - Lương Trọng Nghĩa
Tech Talk #5 : Code Analysis SonarQube - Lương Trọng NghĩaNexus FrontierTech
 
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualitySonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualityLarry Nung
 
Static code analysis with sonar qube
Static code analysis with sonar qubeStatic code analysis with sonar qube
Static code analysis with sonar qubeHayi Nukman
 
Sonarqube
SonarqubeSonarqube
SonarqubeKalkey
 
Ai in software automation testing - testim.io
Ai in software automation testing - testim.ioAi in software automation testing - testim.io
Ai in software automation testing - testim.ioAliaa Monier Ismaail
 
Applitools Visual AI Overview.pdf
Applitools Visual AI Overview.pdfApplitools Visual AI Overview.pdf
Applitools Visual AI Overview.pdfApplitools
 
IPC: AIDL is sexy, not a curse
IPC: AIDL is sexy, not a curseIPC: AIDL is sexy, not a curse
IPC: AIDL is sexy, not a curseYonatan Levin
 
GIT presentation
GIT presentationGIT presentation
GIT presentationNaim Latifi
 
Software Testing and Quality Assurance Assignment 3
Software Testing and Quality Assurance Assignment 3Software Testing and Quality Assurance Assignment 3
Software Testing and Quality Assurance Assignment 3Gurpreet singh
 
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games Conference
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games ConferenceKGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games Conference
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games ConferenceXionglong Jin
 
Tracking and improving software quality with SonarQube
Tracking and improving software quality with SonarQubeTracking and improving software quality with SonarQube
Tracking and improving software quality with SonarQubePatroklos Papapetrou (Pat)
 
Sonarqube
SonarqubeSonarqube
SonarqubeCDS
 
SonarQube: ¿cómo de malo es mi software?
SonarQube: ¿cómo de malo es mi software?SonarQube: ¿cómo de malo es mi software?
SonarQube: ¿cómo de malo es mi software?Tomás Moreno Bernal
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning TalkJonathan Gregory
 
Introduction to git flow
Introduction to git flowIntroduction to git flow
Introduction to git flowKnoldus Inc.
 
Web sockets in Angular
Web sockets in AngularWeb sockets in Angular
Web sockets in AngularYakov Fain
 

Tendances (20)

Tech Talk #5 : Code Analysis SonarQube - Lương Trọng Nghĩa
Tech Talk #5 : Code Analysis SonarQube - Lương Trọng NghĩaTech Talk #5 : Code Analysis SonarQube - Lương Trọng Nghĩa
Tech Talk #5 : Code Analysis SonarQube - Lương Trọng Nghĩa
 
SonarQube
SonarQubeSonarQube
SonarQube
 
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualitySonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code Quality
 
Static code analysis with sonar qube
Static code analysis with sonar qubeStatic code analysis with sonar qube
Static code analysis with sonar qube
 
Sonarqube
SonarqubeSonarqube
Sonarqube
 
Ai in software automation testing - testim.io
Ai in software automation testing - testim.ioAi in software automation testing - testim.io
Ai in software automation testing - testim.io
 
Applitools Visual AI Overview.pdf
Applitools Visual AI Overview.pdfApplitools Visual AI Overview.pdf
Applitools Visual AI Overview.pdf
 
IPC: AIDL is sexy, not a curse
IPC: AIDL is sexy, not a curseIPC: AIDL is sexy, not a curse
IPC: AIDL is sexy, not a curse
 
GIT presentation
GIT presentationGIT presentation
GIT presentation
 
Software Testing and Quality Assurance Assignment 3
Software Testing and Quality Assurance Assignment 3Software Testing and Quality Assurance Assignment 3
Software Testing and Quality Assurance Assignment 3
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
 
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games Conference
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games ConferenceKGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games Conference
KGC 2016: HTTPS 로 모바일 게임 서버 구축한다는 것 - Korea Games Conference
 
Tracking and improving software quality with SonarQube
Tracking and improving software quality with SonarQubeTracking and improving software quality with SonarQube
Tracking and improving software quality with SonarQube
 
Sonarqube
SonarqubeSonarqube
Sonarqube
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
SonarQube: ¿cómo de malo es mi software?
SonarQube: ¿cómo de malo es mi software?SonarQube: ¿cómo de malo es mi software?
SonarQube: ¿cómo de malo es mi software?
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning Talk
 
Introduction to git flow
Introduction to git flowIntroduction to git flow
Introduction to git flow
 
Web sockets in Angular
Web sockets in AngularWeb sockets in Angular
Web sockets in Angular
 

Similaire à Static Code Analysis

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Jasmine Conseil
 
Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineeringgaoliang641
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot ivAndrew Chum
 
Rtc2014 automate the_process_deliver_quality_ady_beleanu
Rtc2014 automate the_process_deliver_quality_ady_beleanuRtc2014 automate the_process_deliver_quality_ady_beleanu
Rtc2014 automate the_process_deliver_quality_ady_beleanuAdy Beleanu
 
Ady beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdeliveryAdy beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdeliveryRomania Testing
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsAnju ML
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwarePerforce
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 

Similaire à Static Code Analysis (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0
 
Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineering
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot iv
 
Rtc2014 automate the_process_deliver_quality_ady_beleanu
Rtc2014 automate the_process_deliver_quality_ady_beleanuRtc2014 automate the_process_deliver_quality_ady_beleanu
Rtc2014 automate the_process_deliver_quality_ady_beleanu
 
Ady beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdeliveryAdy beleanu automate-theprocessdelivery
Ady beleanu automate-theprocessdelivery
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 

Plus de Obika Gellineau

Securing Infrastructure as a Code - DevFest 2022 Presentation
Securing Infrastructure as a Code - DevFest 2022 PresentationSecuring Infrastructure as a Code - DevFest 2022 Presentation
Securing Infrastructure as a Code - DevFest 2022 PresentationObika Gellineau
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...Obika Gellineau
 
Robotic Process Automation Development
Robotic Process Automation DevelopmentRobotic Process Automation Development
Robotic Process Automation DevelopmentObika Gellineau
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityObika Gellineau
 

Plus de Obika Gellineau (6)

Securing Infrastructure as a Code - DevFest 2022 Presentation
Securing Infrastructure as a Code - DevFest 2022 PresentationSecuring Infrastructure as a Code - DevFest 2022 Presentation
Securing Infrastructure as a Code - DevFest 2022 Presentation
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
Open source during COVID-19: A lesson about the Caribbean Virus Tracker - gdg...
 
Robotic Process Automation Development
Robotic Process Automation DevelopmentRobotic Process Automation Development
Robotic Process Automation Development
 
Capital One Data Breach
Capital One Data BreachCapital One Data Breach
Capital One Data Breach
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing Security
 

Dernier

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 

Dernier (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 

Static Code Analysis

  • 1. Static Code Analysis Caribbean Developer Week 2018 Presenter: Obika Gellineau
  • 2. Agenda  What is Static Code Analysis?  Manual vs. Automated  Benefits of Static Code Analysis  Problems with Static Code Analysis  SDLC and Security  Automated Static Code Analysis Tools  Demo  Key Takeaways
  • 3. What is Static Code Analysis?  Examination of source code without executing the program.  It’s a method of computer program debugging.  Web and non-web applications can be evaluated.  Commonly known as “White-box” testing.
  • 4. What is Static Code Analysis?  Can be done manually or through the use of automated tools.  Testers must understand code structure and be familiar with the source code’s programming language idiosyncrasies.  Used to detect flaws in software’s inputs and outputs that cannot be seen by dynamic scanning.
  • 5. Manual vs. Automated Manual Code Review • Involves peer reviews • Developer must walkthrough the code with reviewer • Multiple participants and phases Automated Code Review • Involves automated software tools • Developer does not require walkthrough session • Multiple phases and minimal participation Note:  Both involve the use of pattern and lexical analysis to find bugs, software vulnerabilities and logic flaws.  Both are preventative measures for reducing bugs and security issues.
  • 6. Benefits of Static Code Analysis Manual • Improves coding quality. • Knowledge of application functionality is shared. • Review allows senior developer to improve junior developer’s competency. • “Two eyes are better than one”. Automated • Any developer can do it • Saves a lot of time for developers • Scanning is effortless • Ideal for Agile and DevOps SDLC • Ideal for Continuous Integration
  • 7. Problems with Static Code Analysis Manual • Reliant on senior developers and/or quality assurance staff to perform review. • Manual reviews can be time consuming. • Not ideal for Agile and DevOps SDLC. • Review cannot be done by one person. Automated • Too many false positives. (warnings are usually safe to ignore) • Extensive scan times when not optimized. • Automated tools are only as good as the rules used to detect vulnerabilities.
  • 8. SDLC and Security ---- Traditional Agile DevOps Method Waterfall Scrum “End-to-End” Phases Requirements, Design, Development, Testing Deployment Requirements, Plan, Design, Develop, Release, Track & Monitor Plan, Code, Build, Test, Release, Deploy, Operate, Monitor, and go again….. Overall Process • Complete Requirements are clear and fixed • Product definition is stable • Requirements change frequently • Development needs to be fast • Requirements change frequently • Development needs to be Agile • Operations needs to be Agile Business Impact • Feedback from customer • Longer Release cycles • Feedback from customer • Smaller release cycles • Focus on speed • Feedback from self • Smaller release cycles with feedback • Focus on speed and automation Security • Security defined during “Requirements” Phase. • Static Code Analysis performed during “Development” and “Testing” phases. • Security defined during “Requirements” Phase. • Static Code Analysis performed during phase. • Security defined during “Plan” Phase. • Continuous / Automated Tool Dependent.
  • 9. Automated Static Code Analysis Tools Languages Supported Open Source Commercial C++ Cppcheck, cpplint, flawfinder CppDepend, Polyspace Code Prover PHP RIPS, PHPMD ---- Javascript / NodeJS NodeJSScan, jshint, eslint, retire.js DeepScan, JSLint Python pylint, bandit, jedi ---- Java FindBugs, FindSecurityBugs, checkstyle, OWASP Dependency Check, JBMC JArchitect dotNET Security Code Scan, CSharpEssentials, Roslyn Security Guard CodeRush, ReSharper Ruby / RoR brakeman, ruby-lint ---- Multiple Sonarqube, PMD, Yasca, coala Fortify, Checkmarx, Veracode, Kiuwan, AppScan
  • 10. Demo  Static code Analysis of OWASP vulnerable application named JuiceShop (7.3.0).  Automated tool is SonarQube 6.7.4 LTS.  Installation on Windows 10 with MySQL 5.3 Database and Oracle JDK 8.
  • 11. Key Takeaways  To improve the quality of code, reduce software bugs, mitigate security vulnerabilities and avoid logic flaws; developers can take proactive actions through static code analysis.  Manual reviews and Automated tools are available to assist developers, but corrective actions must be taken when issues are identified.  Static Code Analysis is a good proactive measure, but always remember to include dynamic testing to identify security vulnerabilities during runtime.  Security must be integrated into all phases of the SDLC (especially at the start) and not be an afterthought.
  • 12. Q&A