Why Static Code Analysis Is Not Enough to Secure Your Web Applications

Category: Web Security Readings - Last Updated: Thu, 07 Nov 2019 - by Zbigniew Banach

Static code analysis tools (SAST) are used to automatically check source code for errors and security vulnerabilities, as well as ensure compliance with coding standards. They are deployed during development and while effective for some classes of vulnerabilities, they have a number of disadvantages and limitations, especially for web applications. Dynamic analysis solutions (DAST) address many of these problems and can complement or replace static tools. In this article, we will look at some of the shortcomings of static analysis and see how deploying dynamic analysis tools can help improve the security of your web applications.

Why Static Code Analysis Is Not Enough to Secure Your Web Applications

How Static Code Analysis Works

Static code analysis (also called white-box testing) is the automated equivalent of manual code reviews and is used to check the source code (or sometimes object code) for a variety of issues, including programming errors, vulnerable constructs, unsanitized input processing, and noncompliance with predefined rules. The process uses static code analyzers – specialized tools that are integrated into the software development lifecycle and (in most cases) executed automatically. Security-oriented static code analysis is also referred to as Static Application Security Testing (SAST).

For security testing, techniques such as data flow analysis are used to trace the flow of potential user inputs through program code and flag locations where unsanitized data may be processed. Beyond application security, static code analysis is also used to find bugs, enforce predefined coding standards, and ensure code quality, for example by eliminating unreachable code. In some highly regulated industries, such as aviation or medical software, using formal static code analysis methods is a regulatory requirement.

Numerous tools for static code analysis are available, from basic checks integrated into IDEs to comprehensive standalone suites. Apart from open source solutions, such as Sonarqube or the OWASP security tools, a vast array of commercial products are available, including tools from Coverity, Parasoft, Veracode, Klocwork, and Fortify. Products are available for most programming languages, from popular web application languages such as HTML, Java, JavaScript, Python, and PHP, to more specialized languages like Scala, Swift, and Cobol.

The Disadvantages of Static Code Analysis

Static analysis tools rely on abstract models and representations of program data flows and logic, which leads to a relatively large proportion of false positives in the results. Dealing with these false alarms requires a lot more time than fixing real issues because developers have to double-check valid code to ensure it is secure and free of bugs. If the number of false positives becomes a serious burden, developers may start ignoring certain classes of issues where these false alarms are common, thus increasing the risk of real errors staying in the code, or introduce unnecessary minor changes just to make the alarms go away, which can be bad for code quality.

Static analysis deals with source code, so each programming language typically requires a separate tool. Development teams also tend to use multiple tools for different types of checks, so the number of required products for all supported languages can quickly grow – and that can get expensive. For rule-based analysis, keeping all the required rules up to date can be a serious administrative burden.

While effective for many types of issues, source code analysis can’t catch runtime and configuration errors. Considering that misconfigurations are a major source of vulnerabilities, static analysis alone is not enough to guarantee application security. For web applications that use third-party libraries dynamically loaded from static code, dynamic analysis is the only feasible approach to ensuring security.

How Dynamic Analysis Works

Unlike static analyzers, dynamic analysis tools don’t require access to the source code – this approach is also called black-box testing, or Dynamic Application Security Testing (DAST) in a security context. Dynamic scanners are executed on a running application and can find all sorts of issues that show up at runtime, whether related to application code or to external factors, such as misconfiguration. They work by simulating all sorts of valid, invalid and malicious inputs to find errors and security flaws, effectively performing automated penetration testing to catch vulnerabilities as they emerge. 

Dynamic analysis covers only parts of the application that are executed during the test run and accessible to the user. While this provides the most realistic testing scenario for vulnerability scanning, it means that some application code may remain unchecked. Because source code is not accessible, dynamic scanners can’t directly indicate the causes of issues they detect, so developers have to find the corresponding errors manually. Fortunately, modern enterprise-class dynamic tools use advanced mechanisms to get you as close as possible to the root cause.

The Benefits of Dynamic Analysis

The key advantage of dynamic analysis is that it can detect all types of issues that can show up in a running application, including bugs, runtime errors, misconfigurations, and security flaws. This allows you to ensure application security and stability even if no static analysis is performed. Dynamic testing is also the only way to get realistic data about application performance.

Because they check the running application, not the source code, dynamic scanners are independent of the programming language and can be used at all stages of the software development pipeline. Business-class dynamic scanners readily integrate with modern methodologies, making it easy to automate dynamic analysis for DevOps and other agile approaches.

From a developer’s point of view, modern dynamic scanners generate far fewer false positives than static analysis tools. When used for automated penetration testing, leading tools can not only discover vulnerabilities but also exploit them in a safe, read-only way, generating a proof of exploit to document the results and help developers isolate the root cause.

Choosing Your Analysis Solution

With rapid deployment models such as CI/CD and DevOps becoming ever more popular, automated analysis is vital to ensure that code going from development to production is free of known errors and vulnerabilities. Your choice of analysis tools will depend on the individual requirements and budget, but a dynamic analysis product should be part of any toolset.

If you’re prepared to invest in static analysis tools for all your languages, the best solution is to combine static and dynamic analysis in your SDLC. That way you get the best of both worlds: static analysis can eliminate many issues even before the application runs and improve overall code and software quality, while dynamic analysis at runtime finds errors and vulnerabilities that could not be detected using static methods. 

However, if you have to choose between static and dynamic analysis, an enterprise-class dynamic scanner should provide the best combination of effectiveness and value, as it picks up many kinds of errors and vulnerabilities, and can be used by anyone and at any stage of the SDLC. From a security standpoint, a dynamic scanner is a necessity, since static analysis tools are helpless against many critical classes of vulnerabilities.

The good news is that best-of-breed dynamic vulnerability scanners are highly effective both as standalone solutions and in combination with static analysis tools. They are also easy to integrate with development automation processes, which makes them accessible and valuable to all roles across your SDLC.


Keep up with the latest web security
content with weekly updates.