Our website uses cookies to enhance your browsing experience.
Accept
to the top
Home
>
Posts
>
Briefly about PVS-Studio as SAST a solu…
Andrey Karpov
Andrey Karpov
Apr 17 2019
Tags:
#Security

Briefly about PVS-Studio as SAST a solution

Apr 17 2019
Author: Andrey Karpov

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also potential vulnerabilities.

There are two approaches to detecting vulnerabilities in code.

The first one implies that the analyzer searches dangerous fragments in code drawing on the base of common vulnerabilities CVE. It is similar to the work of antiviruses. This approach is effective for detecting known vulnerabilities, which could get in the project when using old libraries or due to the Copy-Paste method.

Nevertheless, this solution doesn't give the answer to the question what to do with newly written code and vulnerabilities that haven't been detected yet.

Therefore, there is the second approach when parts of code that contain security defects are preventively detected and fixed. This strategy is currently implemented in the PVS-Studio tool.

There is a Common Weakness Enumeration (CWE) base, which describes patterns of errors, which can be exploited as vulnerabilities under certain circumstances. Indeed, in practice, only a very small part of CWE-errors is dangerous. From a developer's point of view, it makes no sense to speculate whether a flaw can be used for an attack or not. You just need to fix all the defects, and thus improve the reliability of your application.

The PVS-Studio analyzer supports classification of errors according to CWE. If PVS-Studio issued a warning and matched that with one from CWE ID, it means that a potential vulnerability is detected and it has to be fixed.

I recommend checking out another article on a similar topic -"How Can PVS-Studio Help in the Detection of Vulnerabilities?". It describes some vulnerabilities, which can be found using PVS-Studio at the stage of code writing.

Introduce the PVS-Studio static code analyzer in your development process to enhance the quality and reliability of the projects you develop.

#Security
blog-subscribe blog-subscribe
blog-favorite blog-favorite

0

0

0

0

SHARE

Tags:

#Security

We can email you a selection of our best articles once a month

Popular related articles

Comments (0)

Next comments next comments
close comment form
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
* Difference between Team and Enterprise
Didn't get our email?
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
Why do we ask to use Business Email?
New License
License Renewal
--Select currency--
USD
EUR
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
Why do we ask to use Business Email?
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
I want to join the test
Why do we ask to use Business Email?
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam