Wikipedia

Static program analysis: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Added comma and capitalization
Tags: Reverted Visual edit
Rvv. Added reference has no relation to this article.
Line 3:
In [[computer science]], '''static program analysis''' (or '''static analysis''') is the [[program analysis|analysis]] of computer programs performed without executing them, in contrast with [[dynamic program analysis]], which is performed on programs during their execution.<ref>{{cite journal |archive-url=https://web.archive.org/web/20110927010304/http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf |archive-date=2011-09-27 | title=Industrial Perspective on Static Analysis. |journal=Software Engineering Journal |date=Mar 1995 |pages=69–75 |last1=Wichmann |first1=B. A. |first2=A. A. |last2=Canning |first3=D. L. |last3=Clutterbuck |first4=L. A. |last4=Winsbarrow |first5=N. J. |last5=Ward |first6=D. W. R. |last6=Marsh |volume=10 |issue=2 |doi=10.1049/sej.1995.0010 |url=http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf}}</ref><ref>{{Cite journal|last1=Egele|first1=Manuel|last2=Scholte|first2=Theodoor|last3=Kirda|first3=Engin|last4=Kruegel|first4=Christopher|date=2008-03-05|title=A survey on automated dynamic malware-analysis techniques and tools|url=https://doi.org/10.1145/2089125.2089126|journal=ACM Computing Surveys|volume=44|issue=2|pages=6:1–6:42|doi=10.1145/2089125.2089126| s2cid=1863333 |issn=0360-0300}}</ref>
 
The term is usually applied to analysis performed by an automated tool, with human analysis typically being called "program understanding", [[program comprehension]], or [[code review]]. In the last of these, [[software inspection]] and [[software walkthrough]]s are also used. In most cases the analysis is performed on some version of a program's [[source code]], and, in other cases, on some form of its [[object code]].
 
== Rationale ==
Line 14:
 
# [[Medical software]]: The US [[Food and Drug Administration]] (FDA) has identified the use of static analysis for medical devices.<ref>{{cite web |title = Infusion Pump Software Safety Research at FDA |author = FDA |publisher = Food and Drug Administration |date = 2010-09-08 |url = https://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/InfusionPumps/ucm202511.htm |access-date = 2010-09-09 |url-status = live |archive-url = https://web.archive.org/web/20100901084658/https://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/InfusionPumps/ucm202511.htm |archive-date = 2010-09-01 }}</ref>
# Nuclear software<ref>{{Cite web |title=About Nucleus Software {{!}} A leading banking software solution provider |url=https://www.nucleussoftware.com/about-us/who-we-are |access-date=2023-01-29 |website=www.nucleussoftware.com}}</ref>: In the UK the Office for Nuclear Regulation (ONR) recommends the use of static analysis on [[reactor protection system]]s.<ref>Computer based safety systems - technical guidance for assessing software aspects of digital computer based protection systems, {{cite web | title = Computer based safety systems | url=http://www.hse.gov.uk/nuclear/operational/tech_asst_guides/tast046.pdf | archive-url=http://webarchive.nationalarchives.gov.uk/20130104193206/http://www.hse.gov.uk/nuclear/operational/tech_asst_guides/tast046.pdf | url-status=dead | archive-date=January 4, 2013 |access-date=May 15, 2013 }}</ref>
# Aviation software (in combination with [[Dynamic program analysis|dynamic analysis]])<ref>[http://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-9.pdf Position Paper CAST-9. Considerations for Evaluating Safety Engineering Approaches to Software Assurance] {{webarchive|url=https://web.archive.org/web/20131006134233/http://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-9.pdf |date=2013-10-06 }} // FAA, Certification Authorities Software Team (CAST), January, 2002: "Verification. A combination of both static and dynamic analyses should be specified by the applicant/developer and applied to the software."</ref>
#Automotive & Machines (Functional safety features form an integral part of each automotive product development phase, [[ISO 26262]], Sec 8.).
 
A study in 2012 by VDC Research reported that 28.7% of the embedded software engineers surveyed currently use static analysis tools and 39.7% expect to use them within 2 years.<ref>
Line 24:
In the application security industry the name [[Static application security testing]] (SAST) is also used. SAST is an important part of Security Development Lifecycles (SDLs) such as the SDL defined by Microsoft<ref>M. Howard and S. Lipner. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, 2006. {{ISBN|978-0735622142}}</ref> and a common practice in software companies.<ref>Achim D. Brucker and Uwe Sodan. [https://www.brucker.ch/bibliography/download/2014/brucker.ea-sast-expierences-2014.pdf Deploying Static Application Security Testing on a Large Scale] {{webarchive|url=https://web.archive.org/web/20141021065105/http://www.brucker.ch/bibliography/download/2014/brucker.ea-sast-expierences-2014.pdf |date=2014-10-21 }}. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. </ref>
 
== Tool Typestypes==
 
The OMG ([[Object Management Group]]) published a study regarding the types of software analysis required for [[software quality]] measurement and assessment. This document on "How to Deliver Resilient, Secure, Efficient, and Easily Changed IT Systems in Line with CISQ Recommendations" describes three levels of software analysis.<ref>{{cite web |url=http://www.omg.org/CISQ_compliant_IT_Systemsv.4-3.pdf |title=OMG Whitepaper &#124; CISQ - Consortium for Information & Software Quality |access-date=2013-10-18 |url-status=live |archive-url=https://web.archive.org/web/20131228132152/http://www.omg.org/CISQ_compliant_IT_Systemsv.4-3.pdf |archive-date=2013-12-28 }}</ref>
Retrieved from "https://en.wikipedia.org/wiki/Static_program_analysis"