The Advantages of Source and Binary Static Analysis
Static code analysis should be in every software developers toolbox. It provides early indications of bugs, security violations, standards violations (against standards such as MISRA and CERT-C) and bad coding styles. It catches problems during the coding phase in the software development lifecycle, before code is even executed. Static code analysis analyzes all paths through the code, even paths that are not covered during your testing cycle. As such, it provides high return value based on a low investment of time and money. Best practices dictate that static code analysis is included as part of the code review process.
However, most static code analysis tools stop at the source code boundary. They investigate the body of source code that software developers author, but they do not take into account the layers of 3rd party components that many modern software projects depend on. Often these 3rd party components are delivered as binary blobs, without source code. These 3rd party components are often libraries that are linked against, or binaries that execute on-their-own as part of a system next to the authored source code.
Distribution of software code in final design, current project
(Percent of Code)
© Copyright 2016 VDC Research Group, Inc. Source: Strategic Insights 2016: IoT & Embedded Technology: Track 4: Software & System Lifecycle Management Tools, Volume 2: Automated Software and Security Test Tools
GrammaTech CodeSonar allows development teams to asses both source code in a variety of languages as well binaries, be it libraries or executables for software quality and security risk. In the case of libraries, it offers a mixed mode that traces the static analysis of source code into the library and finds problems such as null pointer dereferences, memory violations, concurrency problems and taint issues, where user or environment input could put the system at risk. For binaries it can provide deep investigation into possible vulnerabilities in the 3rd party code.
Teams that struggle with deadlines, code quality, security vulnerabilities and developer efficiency should really look into static analysis to improve their software development capability. GrammaTech offers free evaluations at go.grammatech.com.