Static Code Analysis for Security - Comparison of Software Packages

The adoption of the internet has brought a new list of security threats to software applications. With the fully connected state: cloud computing, world wide web, web services communication across business to business and business to consumer applications, crucial software processes are exposed to an increasingly sophisticated security attacks on the public internet. Hackers today are world class developers, capable of exploiting minute software vulnerabilities for profit. To address this growing threat, the enterprise typically adopts a variety of countermeasures, including firewalls, intrusion detection software, coding best practices, secure communications, etc. An aspect to consider for any security policy should be software vulnerability assessment and remediation, of which static code analysis should play a key role. Static code analysis is a class of software with the primary function of scanning non-executing source code for security vulnerabilities, and alerting IT management and engineers about potential security risks.
This research will discuss static code security analysis software. The paper will examine how these techniques are used, what types of issues they solve for and some of the popular commercial software available. The intent of this research is to provide IT Managers, software architects, Software Configuration Management (SCM), Software Engineers, and other persons with the background they will need to understand how automated static code security analysis fits into their environments.