Page 7 - Cyber Warnings
P. 7
Figure 1: A simple process for adopting static analysis tools for security audit and ongoing
security improvement.
Narrowing the analysis to the high-priority vulnerabilities is important to provide a first-look at
security readiness. These parameters can change over time to provide a more complete audit,
as shown below.
Analyzing Results
Using the narrowed set of results configured in the previous step, the analysis begins.
Prioritizing the results further focuses the work on critical vulnerabilities. For example, buffer
overflow errors are likely to be considered more critical than a coding-style warning. Therefore,
the recommended approach is as follows:
• Prioritize: Rank the errors in terms of relative priority before analyzing their validity. It’s
possible to have false positives in reported errors, but to save time it makes sense to
only analyze the highest priority ones first. Lowest priority reports may not need
checking at all (meaning they likely should be disabled as above).
• Evaluate: Checking the error reports from the tools in priority order is required at this
stage. Serious errors and their corresponding dataflow should be checked in detail.
Tools such as CodeSonar provide detailed reports to assist in verifying each error with
the ability to mark as false or true and provide annotations as needed.
• Annotate and Report: Most advanced static analysis tools provide reports of each
analysis run on the source code. After critical vulnerabilities have been validated and
annotated, a source code security audit is ready.
A completed security audit can be used for further risk management, fixing and testing, and for
comparison against subsequent versions of the software. It’s critical that static analysis become
part of an iterative approach to security improvement.
Conclusion
Static analysis tools are a powerful weapon that helps to improve security, but adopting the
tools and creating a starting point for your development team might seem daunting at first.
Understanding the aims and goals of your security audit and threat assessment can narrow the
focus, making the analysis results relevant and useful. Configuring the tools and prioritizing the
results help streamline the audit process, resulting in actionable results.
About The Author
Bill Graham is a seasoned embedded software development manager with
years of development, technical product marketing and product
management experience.
Bill can be reached online at [email protected]
7 Cyber Warnings E-Magazine February 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
