In the latest video of our Security Culture series we talk about static analysis. You can also listen in on our podcast.

There are a lot of static analysis tools out there. The simplest might be eslint, for which there are even security rulesets - the docs for which have some handy illustrations for the types of things these tools can find.

Think of it as though the tool is parsing your code, building an AST (a representation it can programmatically analyze) and then looking for patterns. In general, static analysis tools tend to be more mature in languages that are older and more widely used in regulated industries (like Java and .Net in Banking and Finance). One benefit with some newer languages is that they have more open toolsets (eg. Ruby/Rails).

Remember, static analysis tools can only catch certain types of issues. They can sometimes detect that a string never gets output encoded (XSS). They can sometimes detect that a query dangerously interpolates a user control string (SQL Injection). But they can never detect issues like authorization gaps. They are only as effective as the code “hydration” mechanism and the rules they have been programmed with. So they may find some security misconfigurations repeatably, quickly and accurately. They may miss others completely.

We recommend:

  1. Using a linter locally in your code editor if applicable - but only if applicable
  2. Using a static analysis tool in your CI/CD pipeline - if it finds useful things
  3. Assuming you may need to spend time tuning the tool to get the results you want
  4. Start with free tools and build the process and habit, then consider using commercial tools
  5. Augment static analysis with code review
  6. Consider an assisted code review strategy (a la Crush)

Conclusion? Use static analysis when it helps you. Don’t treat it as a cure all.

References

Of course, there are many commercial static analysis tools out there. The only way you’ll know which one works best for you is to kick the tires.

Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.

Want to stay up to date with the lastest from Jemurai?

Sign up for our monthly newsletter!