~

~/Security

~/Security/Appsec

---

• Static Code Analysis
• Main Advantages
• Types of static analysis
• Static Analysis with Python
• Automate Static Analysis
  • Incorporate it into your project
  • Incorporate it into CI/CD

---

Static Code Analysis

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL)

Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))

For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

Main Advantages

• analyzes source code without executing it, it always terminates
• finishes execution faster than dynamic analysis
• automate-
  • maintaining code quality
  • finding bugs early
  • find security vulnerabilities early
• easy to incoporate into projects

Types of static analysis

• codestyle
• security linting
• error detection
• UML creation
• code duplication detection
• complexity analysis
• secrets detection
• comment style analysis
• dead coe detectio
• framework best practices

Static Analysis with Python

covered here

Automate Static Analysis

Incorporate it into your project

Most popular static analysis tools have plug-ins for popular IDEs, and run against open files, project files, or workspace files

pass in your prospector args in Visual Studio Code

Incorporate it into CI/CD

Use something like Github Actions to perform static analysis before code goes live. Here you can configure automated actions for:

• Security Issues
• Code Quality
• Code Review
• Software Composition Analysis/Dependency Scanning
• Testing

fin