Pour obtenir une clé
d'essai remplissez le formulaire ci-dessous
Demandez des tariffs
Nouvelle licence
Renouvellement de licence
--Sélectionnez la devise--
USD
EUR
RUB
* En cliquant sur ce bouton, vous acceptez notre politique de confidentialité

Free PVS-Studio license for Microsoft MVP specialists
To get the licence for your open-source project, please fill out this form
** En cliquant sur ce bouton, vous acceptez notre politique de confidentialité.

I am interested to try it on the platforms:
** En cliquant sur ce bouton, vous acceptez notre politique de confidentialité.

Votre message a été envoyé.

Nous vous répondrons à


Si vous n'avez toujours pas reçu de réponse, vérifiez votre dossier
Spam/Junk et cliquez sur le bouton "Not Spam".
De cette façon, vous ne manquerez la réponse de notre équipe.

>
>
Briefly about PVS-Studio as SAST a solu…

Briefly about PVS-Studio as SAST a solution

17 Avr 2019
Author:

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also potential vulnerabilities.

0625_Briefly_about_PVS_Studio_SAST/image1.png

There are two approaches to detecting vulnerabilities in code.

The first one implies that the analyzer searches dangerous fragments in code drawing on the base of common vulnerabilities CVE. It is similar to the work of antiviruses. This approach is effective for detecting known vulnerabilities, which could get in the project when using old libraries or due to the Copy-Paste method.

Nevertheless, this solution doesn't give the answer to the question what to do with newly written code and vulnerabilities that haven't been detected yet.

Therefore, there is the second approach when parts of code that contain security defects are preventively detected and fixed. This strategy is currently implemented in the PVS-Studio tool.

There is a Common Weakness Enumeration (CWE) base, which describes patterns of errors, which can be exploited as vulnerabilities under certain circumstances. Indeed, in practice, only a very small part of CWE-errors is dangerous. From a developer's point of view, it makes no sense to speculate whether a flaw can be used for an attack or not. You just need to fix all the defects, and thus improve the reliability of your application.

The PVS-Studio analyzer supports classification of errors according to CWE. If PVS-Studio issued a warning and matched that with one from CWE ID, it means that a potential vulnerability is detected and it has to be fixed.

0625_Briefly_about_PVS_Studio_SAST/image2.png

I recommend checking out another article on a similar topic -"How Can PVS-Studio Help in the Detection of Vulnerabilities?". It describes some vulnerabilities, which can be found using PVS-Studio at the stage of code writing.

Introduce the PVS-Studio static code analyzer in your development process to enhance the quality and reliability of the projects you develop.

Popular related articles
The risks of using vulnerable dependencies in your project, and how SCA helps manage them

Date: 06 Sep 2022

Author: Nikita Lipilin

Most applications today use third-party libraries. If such a library contains a vulnerability, an app that uses this library may also be vulnerable. But how can you identify such problematic dependen…
Application Security Testing. How not to get confused between SAST, DAST, and IAST

Date: 25 Jul 2022

Author: Alexey Sarkisov

What benefits does SAST have? What's the difference between SAST and DAST? What's IAST? What do all these words mean?! Let's talk about this and more in the overview of the main types of Application …
What is CVE and what vulnerabilities can it tell us about?

Date: 22 Jul 2022

Author: Mikhail Evtihevich

You may often come across the CVE abbreviation in articles about various vulnerabilities and publications on information security incidents. CVE (Common Vulnerabilities and Exposures) is a list of pu…
CWE Top 25 2022. Review of changes

Date: 20 Jul 2022

Author: Mikhail Gelvih

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.
SAST in Secure SDLC: 3 reasons to integrate it in a DevSecOps pipeline

Date: 19 Avr 2022

Author: Sergey Vasiliev

Vulnerabilities produce enormous reputational and financial risks. That's why many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we're go…

Comments (0)

Next comments
Unicorn with delicious cookie
Nous utilisons des cookies pour améliorer votre expérience de navigation. En savoir plus
Accepter