PVS-Studio as a SAST solution
PVS-Studio is included in the Forrester Research report "Now Tech: Static Application Security Testing, Q3 2020" as a SAST specialist. Adopting Static Application Security Testing (SAST) methodology improves application security and helps to reduce the impact of security flaws in application lifecycle. Forrester Research is a leading emerging-technology research firm providing data and analysis that defines the impact of technology change on business. The report is available by purchase or with a subscription with Forrester Research.
PVS-Studio helps improve code in three directions: quality, safety, and security.
No matter what software you develop, the code quality should be high — so that your clients encounter fewer problems, and you develop the project easier and at a lower cost.
The General Analysis diagnostics help find problems related to code quality. They detect:
- array index out of bounds;
- null pointer dereference;
- incorrect function call;
- synchronization problems;
- and other defects.
You can find a list of the General Analysis diagnostics here.
Safety is especially important in software where defects may lead to serious consequences: loss of million dollars or even human lives. Applications in space industry, medicine, and mechanical engineering, have high safety requirements and must contain no errors.
To write safe code, developers use special standards (for example, MISRA C, MISRA C++, AUTOSAR Coding Guidelines).
PVS-Studio detects non-compliance with these standards. Tables of PVS-Studio's diagnostics and how they correspond to the safety standards:
If you work with the MISRA standards, you may need the MISRA Compliance report. You can generate it with utilities from PVS-Studio. Read more here.
Secure code is resistant to malicious attacks: SQL injections, XXE, XSS, and others. Security is important in applications that work with user data (banking software, web applications, etc.).
To make applications secure, teams use secure software development life cycle (SSDLC). One of the life cycle stages is searching for security problems with SAST (static application security testing).
PVS-Studio is a SAST solution that searches for weaknesses and helps increase code security.
Tables that list PVS-Studio diagnostics and how they correspond to potential vulnerabilities and secure development standards:
- Common Weakness Enumeration (CWE)
- OWASP ASVS (Application Security Verification Standard)
- SEI CERT Coding Standards
The most dangerous and common weaknesses are listed in various tops. Find out how PVS-Studio helps fight these weaknesses:
Benchmark suites for testing code analyzers
Benchmarks help evaluate the abilities of static analyzers. It is a set of code fragments that help evaluate whether the analyzer finds problems and whether it issues false positives.
PVS-Studio's coverage of benchmarks is as follows:
- Toyota ITC Benchmarks: 49%. The evaluation method is here.