To get a trial key
fill out the form below
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
RUB
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
** By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
** By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
** By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
PVS-Studio as SAST solution

PVS-Studio as SAST solution

Jul 25 2018
Author:

Until recently, in our articles we have positioned PVS-Studio as a tool for detecting errors in code. While we almost never regarded PVS-Studio in a security context. We will try to remedy this situation and take a look at the tool in terms of testing of security applications and DevSecOps practices.

0577_SAST/image1.png

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also security weaknesses (potential vulnerabilities).

The tool works in Windows, Linux, macOS environments and analyzes program code written in C,C++ and C#. We're also planning to support the Java language by the end of 2018.

For the convenience of specialists who will use PVS-Studio as a SAST tool, the analyzer provides mappings for its warnings to Common Weakness Enumeration, SEI CERT Coding Standards, and also supports MISRA standard (currently in development).

Mapping tables of PVS-Studio diagnostics to different standards:

The most widespread classification of SAST tool warnings is Common Weakness Enumeration (CWE). Let's see, using the language of CWE, how the PVS-Studio analyzer helps to prevent vulnerabilities.

If we refer to a list of entries of publicly known information security vulnerabilities (CVE), it turns out that often the reason of vulnerabilities in applications is not any defects in the security system, but ordinary programming errors. National Institute of Standards and Technology (NIST) confirms this by stating that 64% of vulnerabilities in applications relate to errors in code.

It is such errors, described in CWE, that potentially can lead to vulnerabilities. Accordingly, if an error can be classified as CWE, it is possible that it may be exploited as a vulnerability and ultimately be added to the list of CVE. For clarity, we can use an image of the funnel:

0577_SAST/image2.png

There is a great variety of errors. Some of them are dangerous from a security point of view and therefore are classified according to CWE. Some CWE-errors can be exploited and they represent vulnerabilities.

Indeed, in practice, only a very small part of discovered CWE-errors is dangerous and represents vulnerabilities. However, if you are developing security-critical applications and care about the security of users, you should consider these errors very seriously. Eliminating the CWE-errors, you protect your application from many vulnerabilities.

Now the relation between errors, PVS-Studio and vulnerabilities becomes apparent. PVS-Studio analyzer finds errors and classifies many of them as CWE. By fixing these errors, you make your application more reliable. The discovery of vulnerability in the product can seriously affect its reputation. By fixing the analyzer errors, you can significantly alleviate this risk at the earliest development stage - when you are writing the code.

PVS-Studio analyzer, like any other tool, does not guarantee that there are no vulnerabilities in your code. However, if PVS-Studio prevents, for example, 50% of potential vulnerabilities, this is wonderful.

Additionally we offer you to get acquainted with the article "How Can PVS-Studio Help in the Detection of Vulnerabilities?", showing the errors that led to vulnerabilities and which could have been avoided in case of using the PVS-Studio tool in the development process.

Start using PVS-Studio as a SAST solution: download PVS-Studio.

Latest articles:

Poll:

Popular related articles
Catastrophic backtracking: how can a regular expression cause a ReDoS vulnerability?

Date: Nov 03 2022

Author: Andrey Moskalev

Regular expressions come in handy when you need to search for and replace text. However, in some cases, they may cause the system to slow down or even make vulnerable to ReDoS attacks.
The risks of using vulnerable dependencies in your project, and how SCA helps manage them

Date: Sep 06 2022

Author: Nikita Lipilin

Most applications today use third-party libraries. If such a library contains a vulnerability, an app that uses this library may also be vulnerable. But how can you identify such problematic dependen…
Application Security Testing. How not to get confused between SAST, DAST, and IAST

Date: Jul 25 2022

Author: Alexey Sarkisov

What benefits does SAST have? What's the difference between SAST and DAST? What's IAST? What do all these words mean?! Let's talk about this and more in the overview of the main types of Application …
What is CVE and what vulnerabilities can it tell us about?

Date: Jul 22 2022

Author: Mikhail Evtihevich

You may often come across the CVE abbreviation in articles about various vulnerabilities and publications on information security incidents. CVE (Common Vulnerabilities and Exposures) is a list of pu…
CWE Top 25 2022. Review of changes

Date: Jul 20 2022

Author: Mikhail Gelvih

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.

Comments (0)

Next comments
Unicorn with delicious cookie
Our website uses cookies to enhance your browsing experience.
Accept