Static analysis in a secure software development lifecycle

February 17, 2017 // By Bill Graham, GrammaTech
When should static analysis be applied?" The answer to this question is fairly straightforward: "whenever code is being developed." This however, is a simplification. The longer answer is "part of a structured and secure development process."

[Editor's note; This short overview of the role of static analysis tools is presented by GrammaTech,]


Static analysis is an important part of a modern software development tool suite which when applied correctly and sufficiently early can have a significant impact on code quality, security, and safety. Perhaps the most relevant point is the role static analysis plays in a security-first software design is critical in today's connected and complex operating environment.


Security-first design

A security-first design is an approach that integrates security as a top priority in the software development lifecycle (SDLC). To implement this approach, developers and project managers can expect at least the following types of activities while progressing through the five key stages of the cycle, see Figure 1.


Figure 1. Security processes superimposed over the software design lifecycle.


Requirement definition: At the requirement stage, security-specific requirements can be introduced, along with known “abuse cases” (use cases that an attacker might follow) and a risk analysis.

Design and architecture: As candidate architectures become available, reviews must include security aspects that may not have been included previously. At this stage, testing plans should be created that include security analyses that follow the perceived “abuse cases.”

Code development: At the coding stage, following security guidelines and coding standards are critical. The use of automation tools such as static analysis is key to ensure that vulnerabilities are not introduced into the product.

Integration and test: As the system as a whole starts to take form, subsystem and system testing will find vulnerabilities before integration and deployment to the market.

Deployment and maintenance: When a product enters the market and starts wide deployment, security vulnerabilities become exponentially costlier to fix. As a product goes through maintenance and revision, security is an ongoing concern and new vulnerabilities and threats need to be fed back in to the system in an iterative approach.


The role