https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=MGHAZLI+ZyadOWASP - User contributions [en]2026-05-14T09:48:36ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=User:MGHAZLI_Zyad&diff=156532User:MGHAZLI Zyad2013-08-08T08:40:49Z<p>MGHAZLI Zyad: </p>
<hr />
<div>Security Consultant at Solucom <br />
[http://www.Solucom.fr www.Solucom.fr]</div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=CRV2_WhatIsCodeReview&diff=156531CRV2 WhatIsCodeReview2013-08-08T08:26:39Z<p>MGHAZLI Zyad: </p>
<hr />
<div><br />
== What is Security Source Code Review? ==<br />
<br />
<br />
Source code review is the practice of reviewing developed code for vulnerabilities. There are many ways to review the security of an application and it is recommended to perform more than one method to help ensure more assessment coverage. Penetration testing is great at finding certain bugs such as technical signature or API based issues. Issues related to privacy, information leakage, denial of service are more suited to code review. Source code review is also good practice as you are finding issues early in the SDLC. Locating and fixing issues early in your SDLC makes it cheaper in terms of effort and cost to remediate. It also empowers developers to understand security bugs at the source code level such that they may not repeat the same mistakes.<br />
<br />
== What is static analysis? ==<br />
<br />
<br />
Static Code Analysis is usually performed as part of a Source code review and is carried out at the Implementation phase of SDLC. Static Code Analysis commonly refers to the running of static code analysis tools that attempts to highlight possible vulnerabilities whiting the ‘static’ (non-running) source code by using techniques such as Taint Analysis, Data Flow Analysis, Control Flow Graph, and Lexical Analysis. When the analysis is performed on a runtime environment, it is referred to as Dynamic Code Analysis.<br />
Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.</div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=CRV2_ManualReviewProsCons&diff=156530CRV2 ManualReviewProsCons2013-08-08T08:22:05Z<p>MGHAZLI Zyad: Choosing a static analysis tool</p>
<hr />
<div>= Manual Review - Pros and Cons =<br />
<br />
Add content here ...<br />
<br />
<br />
== Choosing a static analysis tool ==<br />
<br />
Choosing a static analysis tool is a difficult task since there are a lot of choices. The comparison charts below should help you decide which tool is right for you. This list is not exhaustive.<br />
The first thing to do is to look to for a tool that supports the programming language of your choice. You also have to decide whether you want a commercial tool or a free one. Usually the commercial tools have more features and are more reliable than the free ones. The major commercial tools are equally effective but their usability might differ. Next, there is the type of analysis you are looking for: Security or Quality, Static or Dynamic analysis. You should also check the compatibility of the tool with your programming environment.<br />
This was the easy part to narrow the choice down to a few tools. The next step requires you to do some work since it is quite subjective. The best thing to do is to test a few tools to see if you are satisfied with different aspects such as the user experience, the reporting of vulnerabilities, the level of false positives, the customization, the customer support… The choice should not be based on the number of features, but on the features that you need and how they could be integrated in your SDLC. Also, before choosing the tool, the security expertise of the targeted users should be clearly evaluated in order to choose an appropriate tool.<br />
<br />
<br />
=== '''Free static analysis tools''' ===<br />
<br />
[[File:Free_static_analysis_tools.png]]<br />
[[File:Legend_free_static_analysis_tools.png]]<br />
<br />
=== '''Commerical static analysis tools''' ===<br />
<br />
[[File:Commercial_static_analysis_tools.png]]<br />
[[File:Legend Commercial static analysis tools.png]]<br />
<br />
[[File:Owasp_Benchmark_Static_analysis_tools.pptx]]</div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=File:Owasp_Benchmark_Static_analysis_tools.pptx&diff=156529File:Owasp Benchmark Static analysis tools.pptx2013-08-08T08:12:36Z<p>MGHAZLI Zyad: </p>
<hr />
<div></div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=File:Legend_Commercial_static_analysis_tools.png&diff=156528File:Legend Commercial static analysis tools.png2013-08-08T08:11:01Z<p>MGHAZLI Zyad: </p>
<hr />
<div></div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=File:Commercial_static_analysis_tools.png&diff=156527File:Commercial static analysis tools.png2013-08-08T08:10:45Z<p>MGHAZLI Zyad: </p>
<hr />
<div></div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=File:Legend_free_static_analysis_tools.png&diff=156526File:Legend free static analysis tools.png2013-08-08T08:10:20Z<p>MGHAZLI Zyad: </p>
<hr />
<div></div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=File:Free_static_analysis_tools.png&diff=156525File:Free static analysis tools.png2013-08-08T08:09:57Z<p>MGHAZLI Zyad: MGHAZLI Zyad uploaded a new version of &quot;File:Free static analysis tools.png&quot;</p>
<hr />
<div></div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=File:Free_static_analysis_tools.png&diff=156524File:Free static analysis tools.png2013-08-08T08:08:33Z<p>MGHAZLI Zyad: </p>
<hr />
<div></div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=CRV2_ManualReviewProsCons&diff=156523CRV2 ManualReviewProsCons2013-08-08T08:03:04Z<p>MGHAZLI Zyad: </p>
<hr />
<div>= Manual Review - Pros and Cons =<br />
<br />
Add content here ...<br />
<br />
<br />
== Choosing a static analysis tool ==<br />
<br />
Choosing a static analysis tool is a difficult task since there are a lot of choices. The comparison charts below should help you decide which tool is right for you. This list is not exhaustive.<br />
The first thing to do is to look to for a tool that supports the programming language of your choice. You also have to decide whether you want a commercial tool or a free one. Usually the commercial tools have more features and are more reliable than the free ones. The major commercial tools are equally effective but their usability might differ. Next, there is the type of analysis you are looking for: Security or Quality, Static or Dynamic analysis. You should also check the compatibility of the tool with your programming environment.<br />
This was the easy part to narrow the choice down to a few tools. The next step requires you to do some work since it is quite subjective. The best thing to do is to test a few tools to see if you are satisfied with different aspects such as the user experience, the reporting of vulnerabilities, the level of false positives, the customization, the customer support… The choice should not be based on the number of features, but on the features that you need and how they could be integrated in your SDLC. Also, before choosing the tool, the security expertise of the targeted users should be clearly evaluated in order to choose an appropriate tool.</div>MGHAZLI Zyadhttps://wiki.owasp.org/index.php?title=CRV2_WhatIsCodeReview&diff=156522CRV2 WhatIsCodeReview2013-08-08T08:02:02Z<p>MGHAZLI Zyad: </p>
<hr />
<div>What is Security Source Code Review?<br />
<br />
Source code review is the practice of reviewing developed code for vulnerabilities. There are many ways to review the security of an application and it is recommended to perform more than one method to help ensure more assessment coverage. Penetration testing is great at finding certain bugs such as technical signature or API based issues. Issues related to privacy, information leakage, denial of service are more suited to code review. Source code review is also good practice as you are finding issues early in the SDLC. Locating and fixing issues early in your SDLC makes it cheaper in terms of effort and cost to remediate. It also empowers developers to understand security bugs at the source code level such that they may not repeat the same mistakes.<br />
<br />
What is static analysis?<br />
<br />
Static Code Analysis is usually performed as part of a Source code review and is carried out at the Implementation phase of SDLC. Static Code Analysis commonly refers to the running of static code analysis tools that attempts to highlight possible vulnerabilities whiting the ‘static’ (non-running) source code by using techniques such as Taint Analysis, Data Flow Analysis, Control Flow Graph, and Lexical Analysis. When the analysis is performed on a runtime environment, it is referred to as Dynamic Code Analysis.<br />
Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.</div>MGHAZLI Zyad