Static scanning is the process where analyst has to work on the source code to find flaws with respect to security vulnerabilities, Business logic, Logging mechanism, authentication, authorization, etc.
Many teams recommend to avoid non-security issues to be detected by the security tool. But as per Analysts, the flaws which evolve from bad coding later seems to be the source of some hidden vulnerabilities. Vulnerabilities like Log Tampering, Unused Method, Excessive Session Timeout, Unreleased Resources & few more looks very simple but sometimes these lead to Remote code execution and DOS Attack. Static scanning is done by two ways, using Automated Tools and Manual process. Automated scans takes almost a day to complete and it reports all the instances of the flaws on which the Analyst works manually to find out false positives. Post which the genuine Vulnerabilities are considered for reporting. Manual Process takes a long time as analyst has to go through the code line by line and report the issue. Scanning process is shown in the image.
Many vendors have their own static code review tools which support Compiled, Non-Compiled and both types of source codes. Some tools do not allow to proceed if it does not find fully compiled code with any errors or warnings. Many analysts claim that security result found for compiled and non-compiled code is same.
Then what is difference between compiled and non-compiled code scanning?
As per the above claim, analysis was found that, the claim has failed for around 20%, during scanning of non-compiled code as compared to compiled code. On the contrary if multiple times scans are conducted on the same code, the non-compiled code has resulted in same number of issues as compiled code. This is one of the scenario where scanning tool supports non-compiled code. Some of the other differences are mentioned in the below table.
From the above facts we can conclude that to ensure 100% coverage with fast static code scanning and faster removal of false positives, compiled code with all dependencies should be available before code scanning. Moreover most of the popular static code scanners support the same.
Authored by Subhendra Das