Bug fixing with code analysis: static vs. dynamic

Bug fixing with code analysis: static vs. dynamic

August 13th, 2013 By: Stefan von Gagern
It is better to discover any program errors and security gaps in apps and websites earlier rather than later – bug fixing at a later stage is often not only expensive but also time-consuming. We will show you how code analysis can help.
Bug fixing with code analysis: static vs. dynamic

Use Code analysis tools to find bugs and fix them.
(Source: © Mircea Maties - fotolia.com)

Old programmer wisdom holds that “No software is error-free.” In spite of this, bug fixing, troubleshooting and error clearance are extremely important before an app or website is published. Anyone having to deal with applications which are prone to crashing at the start will quickly drive the target group towards the competition. This competition is generally only a click away in the browser or app store and often offers an alternative to one’s own product. Software is only considered to be stable or robust if it rarely tends to crash or show errors.

Today, with the complexity of functions available, searching for software errors is not, however, by any means getting any easier, but is becoming increasingly time-consuming and expensive. The number of operating systems (and versions), mobile platforms, devices, web browsers and other client software is increasing. In fact, all of them need to be thoroughly tested, something which considering the combinations of devices and system versions which exist, is rarely actually possible. Some errors – for example those with Android – may only be discovered if certain apps interact and interfere with each other.

A warning about open source

Open-source software, which is currently very popular, presents a frequent but initially completely unexpected problem: The open source code has the image of being both tried and tested and high security and quality, as it ultimately comes from “the community” where a large number of programmers have already tested and used it. However, the integration of external code into your own projects is often accompanied by the transfer of bugs and, in terms of security, risky backdoors. For this reason, the code should – where external code is implemented in your own applications – be checked even more thoroughly and critically beforehand.

Trawling through source code – manually or automatically?

Checking source code “on foot”, i.e., simply checking for errors line by line, is not just tedious and stupid. This process is also subject to the factor that humans are only fallible and may overlook errors. However, automated tools which help to check the code have fortunately been available for some time now.

The simplest variant is just searching for certain keywords. The Linux command “grep”, for example, can output every line of code in which the strcpy() function responsible for buffer overflows appears. However, only searching for terms has critical weaknesses: This process is likely to generate false positives, i.e., correctly implemented but insecure functions are output as errors and therefore raise a false alarm. In addition, it also produces false negatives, whereby the specific search for keywords at the same time overlooks complex errors. Semantic analysis tools go further in this area. These are not restricted to assessing that a function is being used, but take into consideration how and in what context it is used.

Code analysis tools: static vs. dynamic

The static code analysis is performed at compile time. I.e., the source text, which is then subject to a range of checks, is required in each case. The benefit of this is that different types of errors can be identified even before the software is run.

The dynamic code analysis, on the other hand, requires a program to be run. Dynamic program analysis tools load special libraries or often require the program code to be recompiled. Theoretically, the dynamic analysis sounds superior:

  • Dynamic code analysis can identify dependencies which a static analysis cannot see.
  • Dynamic code analysis can collect temporal information.
  • Dynamic code analysis can offer real-time runtime values.

In practice, however, there are a few real disadvantages:

  • Working with the dynamic analysis is far more complex.
  • There is no guarantee that the complex source code has been tested since running programs depends on user interactions. Even with automated user tests, it cannot be ensured that all scenarios have been tested.

Summary: Only static analysis covers the entire source code

Code Analyzer: Dashboard
Code Analyzer: dashboard view - creating projects (source: own illustration)

In theory, dynamic code analysis sounds far superior based on its semantic code identification. But only static analysis can provide real security when it comes to bug fixing since it is capable of scanning the entire code.

With the Code Analyzer, Developer Garden is offering a static analysis tool. This can flexibly test all types of software and applications for security gaps. The Code Analyzer supports a wide range of programming languages such as .NET, ASP, VB, JAVA, C and C++, PHP, RUBY, Perl and Java Script. As a web-based solution via the cloud, the tool is ready to use immediately, scans the code automatically at no additional cost and provides you with results extremely quickly.

With our service, the ratio of hits which are false positives is below 10 percent. In order to keep the security status up-to-date at all times and thus guarantee the best possible results, we are continually working on extending the repertoire of possible weaknesses.

Would you like to take a look at how the Code Analyzer works? In our video, you can familiarize yourself with this tool in just seven minutes:

About the author
About the author

Stefan von Gagern works as a freelance journalist in Hamburg. Since 10 years he covers web and mobile technologies and –development. He also works as a consultant, helping companies to build websites, mobile and social media. At Kiel university of applied sciences he teaches media conception. In his free time the gadget fan loves to write music as a singer/guitar player in bands and his home studio.

Contact: Homepage | Twitter