IT conferences and meetings on programming languages see a growing number of speakers talking about static code analysis. Although this field is quite specific, there is still a number of interesting discussions to be found here to help programmers understand the methods, ways of use, and specifics of static code analysis. In this article, we have collected a number of videos on static analysis whose easy style of presentation makes them useful and interesting to a wide audience of both skilled and novice programmers.
1. Videos about static code analysis
Author: Ekaterina Milovidova
Date: 26.04.2017
IT conferences and meetings on programming languages see a growing number of speakers talking
about static code analysis. Although this field is quite specific, there is still a number of interesting
discussions to be found here to help programmers understand the methods, ways of use, and specifics
of static code analysis. In this article, we have collected a number of videos on static analysis whose easy
style of presentation makes them useful and interesting to a wide audience of both skilled and novice
programmers.
What is Static Analysis?
https://youtu.be/POvX4hYIoxg
Author: Matt Might
Static analyzers allow programmers to bound and predict the behavior of software without running it.
Once used exclusively for program optimization, they have rapidly risen in prominence for areas like
software security and automatic parallelization. The author takes you on a tour of the landscape of
static analysis through the lens of abstract interpretation.
Static code analysis used for code clean up
https://youtu.be/YJO1Ew7clgM
Author: PVS-Studio team
2. The report gives information about ways to detect bugs, methodology of static analysis, correct and
incorrect use of analysis tools. The author also provides myths about static analysis that may lead to
erroneous understanding among the developers. The presentation shows errors in Open Source
projects, detected by such tools as ReSharper, PVS-Studio, Visual Studio SCA.
Static Code Analysis: Scan All Your Code For Bugs
https://youtu.be/Heor8BVa4A0
Author: Jared DeMott
The author discusses static code analysis and how it is used in bug elimination. The talk covers a
discussion of pattern matching, procedural, data flow, and statistical analysis, and also includes
examples of common software vulnerabilities such as memory corruption, buffer overflow and over
reads, script injection, XSS and CSRF, command injection, and misconfigurations.
Static Code Analysis: Preventing Bugs and Lag Before They Happen
https://youtu.be/VxeC7WFfg3Q
Author: Vinny DaSilva
A Unit 16 Los Angeles forum session. The author discusses how to use static code analysis tools to
improve code quality throughout the development process, how to customize static code analysis to fit
teams' specific needs and workflows, and how to integrate with continuous integration systems to give
developers continuous feedback.
Make more Secure Code! - Overview of Security Development Lifecycle and Static Code
Analysis
3. https://youtu.be/DyWpRmhGnRI
Author: Jason Cohen
Despite the exponential growth in security products, security services, security companies, security
certifications, and general interest in the security topic, we still see security vulnerability disclosures
happening on a regular basis. Implementing Security Development Lifecycle best practices and principles
can go a long way to reducing the potential for common security flaws. Input sanitization issues, Cross-
Site-Scripting, buffer overflows, and many other known issues still represent the bulk of security issues
present. Static Code Analysis can help catch many of these unnoticed issues before code makes it out of
the developer's hands. In this video, the author discusses some common best practices of the Security
Development Lifecycle theory and how this can be integrated into modern code.
Bug Hunting with Static Code Analysis
https://youtu.be/Sb011qfbMkQ
Author: Nick Jones
A BSlidesLondon 2016 conference video. This talk covers a number of automated analysis techniques for
spotting bugs and security flaws in applications at the source code level, ranging from quick and dirty
bash scripts through open source and commercial analyzers to custom implementations. The video also
discusses how these techniques can be used in continuous integration systems to catch bugs as early in
the development cycle as possible.
4. The Current State of (free) Static Analysis
https://youtu.be/sn1Vg8A_MPU
Author: Jason Turner
A CPPCON2015 conference video. The author discusses the currently available free static analysis
software available for C++ and explains what kinds of errors these tools can catch, what kinds they miss,
and why static analysis should be a part of a normal build process.
Static Analysis and C++: More Than Lint
https://youtu.be/rKlHvAw1z50
Author: Neil MacIntosh
A CPPCON2015 conference video. Static analysis can find not only trivial bugs but also subtle, complex
bugs early, identify opportunities to improve performance, encourage consistent style and appropriate
usage of libraries and APIs. This talk looks at the different purposes static analysis tools can be used to
meet all these different goals. Specific examples are presented from the author's experience working
with sophisticated analysis tools on large, commercial codebases.
5. Make Friends with the Clang Static Analysis Tools
https://youtu.be/AQF6hjLKsnM
Author: Gabor Horvath
A CPPCON2016 conference video. This talk is an overview of the open source static analysis tools for C++
with the emphasis on Clang based tools. Understanding these methods can be really useful as it helps
write more static analysis friendly code and understand the cause of false positive results. It also helps
to understand limitations of the currently available tools. The author gives a short tutorial on how to use
these tools and how to integrate them into the workflow.
Finding Bugs with Clang at Compile and Run Time
https://youtu.be/kkokHPKlhzQ
Author: Bernhard Merkle
An ACCU 2016 conference video. Code analysis and verification gain more and more importance within
programming and quality assurance of software projects. Especially in languages like C/C++, undefined
behavior and memory leaks can cause great problems. Static analysis tools help a lot but often hard to
detect problems happen at runtime. This session shows how to use clang's features to find bugs at both
compile time (via static analysis) and runtime (via sanitizers). The combination of both approaches can
improve software quality a lot.
6. Static Source Code Analysis, The Next Generation
https://youtu.be/W_xIm5Djnpk
Author: James Croall
A Devoxx 2016 conference video. Gone are the days of "linters" and glorified spell checkers. Today's
static source code analysis is accurate and trustworthy, and can find complex inter-procedural coding
defects that our human eyes would never see. The video discusses how open-source developers have
used Coverity's Software Testing Platform to find and fix critical, crash causing bugs and security defects
in the Java language.
Static Analysis Saved My Code Tonight
https://youtu.be/TelqURPdQmQ
Author: Damien Seguy
A PHP UK Conference 2017 video. Static analysis tools check PHP code without running it. Fully
automated, they bring expertise to review the code, enforce good practices when programming, keep
code ready for the next PHP version. PHP 7 has developed tremendously our capacity to audit code -
thanks to AST and return types, it is possible to go deeper and prevent more bugs. In this video, the
author reviews the current state of static analysis tools and shows what they can find and how to
integrate them in the development cycle.
7. Static Code Analysis with Python
https://youtu.be/mfXIJ-Fu5Fw
Author: Andrew Wolfe
Auditing a code base for code formatting mistakes, potential security vulnerabilities or defects can be
time consuming. Static code analysis will let the computer do that for you. The video discusses how to
use code static analysis to catch errors early and improve code quality in Python codebases.
Augmenting Static Analysis Using Pintool: Ablation
https://youtu.be/wHIlNRK_HiQ
Author: Paul Mehta
A BH USA 2016 conference video. Ablation is a tool supplementing static analysis built to extract
information from a process as it executes. This information is then imported into the disassembly
environment where it used to resolve virtual calls, highlight regions of code executed, or visually diff
samples. The goal of Ablation is to augment static analysis with minimal overhead or user interaction.
Ablation makes it simple to diff samples by and highlight where the samples diverge. This is achieved by
comparing the code executed rather than just comparing data. The video also compares a heavily
mutated crash sample and the source sample.
Conclusion
You may find that some of the videos cover the same aspects, but each codebase is unique and one
developer's experience may be different from that of another. The authors share their knowledge of the
static analysis methodology and experience of using static analysis tools with the audience to prevent
them from making the same mistakes, straining their nerves and wasting their time on finding and fixing
these mistakes. The static analysis field is intensively developing; some diagnostic rules inevitably
8. become obsolete, whereas new diagnostics and standards appear. That's why attempts to compare
analyzers based on what defects they can detect or running them on synthetic tests make no sense. The
only way to compare tools is to run them on your code and see which of them meets your needs and
expectations the most.
Other materials
You are welcome to send us the links to videos on static code analysis that you find interesting, and we
will add them to the article.