To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (an extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at

If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

PVS-Studio finds security defects and p…

PVS-Studio finds security defects and provides application security. Report by Forrester Research on SAST, Q3 2020

Sep 01 2020

PVS-Studio, originally developed as a universal tool for finding errors in software code, is now gradually focusing on ensuring safety and security of applications, identifying potential zero-day vulnerabilities. This was facilitated by the support of CERT and MISRA standards, the classification of analyzer warnings in accordance with the CWE standard, the development of data flow analysis mechanisms for tainted data checking, and so on.


On August 6, 2020, Forrester Research released a study called "Now Tech: Static Application Security Testing, Q3 2020", which included the PVS-Studio analyzer as a SAST-specialized solution. Forrester is one of the leading researchers of the impact of new and innovative technologies on business processes and the market, so the inclusion of PVS-Studio in this study is a decent confirmation (both for our users and for us) of the relevance of this direction in which our product is developing. The research report is available for purchase to subscribers and customers of Forrester Research.

Approaches to code safety and security

There are various methodologies for improving code quality and reliability. From a security point of view, their task is to identify as many vulnerabilities as possible at the development/testing stage, so that attackers wouldn't be able to do the same and exploit the defects for their own purposes. We can't say that any methodology is the most important and useful, since they all complement each other.

Such methodologies include:

  • Improving the culture of writing code in general. What is meant here is the use of coding standards, implementing code reviews in the development process, and so on.
  • DAST (Dynamic application security testing). Dynamic analysis tools allow you to identify vulnerabilities in code, such as SQL injections, buffer overflow, and the like. Disadvantage: the need to run applications on a large number of different tests and the necessity to spend large amounts of time. Advantages: almost total absence of false positives, or the need to have access to the code of applications. An approach that also requires access to the source code is called IAST (Interactive Application Security Testing).
  • SAST (Static application security testing). A type of static code analysis focused on finding existing and potential vulnerabilities. It can reveal a large number of defects, including even those that haven't revealed themselves yet. Disadvantages: analyzers emit false positives and require the presence of the source code of the program. Advantages: no need to run tested applications, high speed.
  • RASP (Runtime application self-protection). Runtime application self-protection is one of the security tools that is used when running a program. RASP analyzes the behavior of an application and thus provides continuous security analysis.
  • Other methods or varieties of the above ones.

These methodologies are organically integrated into the development process, and we can say that their implementation turns DevOps into DevSecOps.

In this article, we will focus more on SAST, which in turn is divided into two major directions.

First direction: search for known vulnerabilities

The first type of analyzers work on the principle of antivirus. They know how code fragments containing known vulnerabilities (CVE) look like. They search for these fragments in the code of projects being checked. In practice, everything is a little more complicated, but the general idea is very similar to this one.

The analyzers of this type will help you detect, for example, that your code uses an old version of the library that contains a known and long-found vulnerability. Tools that search the database almost do not emit false positives, but they are powerless when it comes to finding errors in new code (zero-day vulnerabilities).

Second direction: search for zero-day vulnerabilities

The application may contain an error that will remain unnoticed for some time. If a hacker finds such an error and comes up with a way to exploit it, it will turn into a new vulnerability. Such a dangerous identified defect is called "zero-day vulnerability". The term itself means that developers had 0 days to fix the defect.

The analyzers of this type help detect errors that can potentially cause a vulnerability. A large number of such error patterns are collected in CWE and many analyzer developers rely on this database.

Static analyzers are usually not able to understand whether an error can turn into a vulnerability or not, but this is not necessary. Let's say the analyzer detects an array index out of bounds. If the person investigating the analyzer report is not an attacker, but a project developer, then it doesn't make sense for them to figure out whether this error is a security threat or not. They just need to fix this error. By fixing the error, the developer could have eliminated a vulnerability. On the other hand, this may just be an error that causes the app to work incorrectly. In any case, it is useful to find and fix the error.

PVS-Studio is one of the tools that implement the second direction of security defect detection, and now we will look at it in more detail.

Development of PVS-Studio as a SAST solution

Initially, PVS-Studio was developed as a classic static code analyzer. It allows you to find a wide range of errors in the code of programs written in C, C++, C#, and Java. You can check out various articles about checking open projects using it in order to evaluate its diagnostic capabilities.

Over time, it became clear that much of what the PVS-Studio analyzer can do is nothing more than code security testing. In other words, the analyzer is good at finding potential vulnerabilities (see examples).

It should be understood that the reason for most vulnerabilities is not some complex problems in the security system, but ordinary software errors in the code.

The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.

Security errors are all the same familiar classic errors, such as an array index out of bounds, incorrect conditions, typos, and so on. That's just the negative consequences of such errors in some cases that are much more noticeable and expensive.

PVS-Studio has already been able to find a large number of these errors, and its use allows you to make the program code more reliable and secure. However, this does not mean that our team just assigned the word SAST to PVS-Studio and that's it :).

Earlier in the article, we mentioned Common Weakness Enumeration (CWE). We studied this resource and took examples of errors that PVS-Studio was not able to detect yet. Over time, when developing new diagnostic rules, we began to increase the number of rules that can be classified as potential vulnerabilities. In addition, for the convenience of users, we have mapped the messages generated by the analyzer according to the CWE classification. Now you can enable displaying CWE IDs in the analyzer.

To enhance the capabilities of PVS-Studio, our team also paid attention to the SEI CERT Coding Standard. It is a set of standards for writing software in C, C++, Java, and Perl, developed by the CERT (CERT Coordination Center, CERT/CC) to improve software reliability and security. See the PVS-Studio warning classification table according to the SEI CERT Coding Standard.

Another area of work is support for the MISRA C and MISRA C++ standards. These standards do not directly relate to vulnerabilities. CWE and CERT standards can be called by the common word "security", whereas MISRA standards relate to the "safety" category. The purpose of MISRA standards is to improve safety, portability and reliability of programs for embedded systems. In any case, the MISRA standard is often mentioned in the context of SAST or as a related topic. Mapping table.

Having done all this work, we can now honestly say that the PVS-Studio tool is a SAST solution and its regular use will help prevent many zero-day vulnerabilities in your code.

The future of SAST and safety directions in PVS-Studio

As we already mentioned at the beginning of the article, we see the inclusion of PVS-Studio in the Forester Research report as a good indicator of the correctness of the chosen direction of development. Of course, while developing the analyzer's SAST capabilities, we didn't forget about classic general purpose diagnostics, support for new compilers, languages, embedded systems, CI/CD infrastructure for using the analyzer, and other areas that PVS-Studio has traditionally being covering. Moreover, these directions complement each other very well.

We will not remain complacent and will continue to develop SAST and safety directions in PVS-Studio. Support for MISRA C / MISRA C++ standards will be expanded. We plan to consider implementing rules from the OWASP standard in Java and C# analyzers. As for the C and C++ analyzer, we think it is promising to develop towards supporting the AUTOSAR standard.

Additional links

Popular related articles
The Ultimate Question of Programming, Refactoring, and Everything

Date: Apr 14 2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

Date: Nov 21 2018

Author: Andrey Karpov

A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementati…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →