PVS-Studio as a static application security testing tool (SAST)
PVS-Studio is included in the Forrester Research report "Now Tech: Static Application Security Testing, Q3 2020" as a SAST specialist. Adopting Static Application Security Testing (SAST) methodology improves application security and helps to reduce the impact of security flaws in application lifecycle. Forrester Research is a leading emerging-technology research firm providing data and analysis that defines the impact of technology change on business. The report is available by purchase or with a subscription with Forrester Research.
PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also security weaknesses (potential vulnerabilities).
For the convenience of specialists who will use PVS-Studio as a SAST tool, the analyzer provides mappings for its warnings to Common Weakness Enumeration, SEI CERT Coding Standards, and also supports MISRA standard (currently in development).
Mapping tables of PVS-Studio diagnostics to different standards:
- CWE mapping
- OWASP Application Security Verification Standard mapping
- SEI CERT Coding Standard mapping
- MISRA C, MISRA C++ mapping
- AUTOSAR C++14 Coding Guidelines mapping
- OWASP Top 10 Web Application Security Risks mapping
The most widespread classification of SAST tool warnings is Common Weakness Enumeration (CWE). Using the CWE methodology, let's consider how the PVS-Studio analyzer helps to avoid vulnerabilities.
If we refer to a list of entries of publicly known information security vulnerabilities (CVE), it turns out that often the reason of vulnerabilities in applications is not any defects in the security system, but ordinary programming errors. National Institute of Standards and Technology (NIST) confirms this by stating that 64% of vulnerabilities in applications relate to errors in code.
It is such errors, described in CWE, that potentially can lead to vulnerabilities. Accordingly, if an error can be classified as CWE, it is possible that it may be exploited as a vulnerability and ultimately be added to the list of CVE. For clarity, we can use an image of the funnel:
There is a great variety of errors. Some of them are dangerous from a security point of view and therefore are classified according to CWE. Some CWE-errors can be exploited and they represent vulnerabilities.
Indeed, in practice, only a very small part of discovered CWE-errors is dangerous and represents vulnerabilities. However, if you are developing security-critical applications and care about the security of users, you should consider these errors very seriously. Eliminating the CWE-errors, you protect your application from many vulnerabilities.
Now the relation between errors, PVS-Studio and vulnerabilities becomes apparent. PVS-Studio analyzer finds errors and classifies many of them as CWE. By fixing these errors, you make your application more reliable. The discovery of vulnerability in the product can seriously affect its reputation. By fixing the analyzer errors, you can significantly alleviate this risk at the earliest development stage - when you are writing the code.
PVS-Studio analyzer, like any other tool, does not guarantee that there are no vulnerabilities in your code. However, if PVS-Studio prevents, for example, 50% of potential vulnerabilities, this is wonderful.
Additionally we offer you to get acquainted with the article "How Can PVS-Studio Help in the Detection of Vulnerabilities?", showing the errors that led to vulnerabilities and which could have been avoided in case of using the PVS-Studio tool in the development process.
Start using PVS-Studio as a SAST solution: download PVS-Studio.