I’ve posted many times on the importance of application security. Recently, my colleague Joseph Feiman and I published a magic quadrant for static application security testing tools – rating the vendors and tools that analyze an application from the “inside out” looking for coding conditions indicative of a security vulnerability. In the research we describe the three primary ways to perform static analysis:
- analysis of the source code
- analysis of the byte code of an interpreted language like Java or .NET
- analysis of the raw binaries of a compiled application (such as a C++ application)
The latter two are important if you don’t have the source code of the original application to analyze. For example, perhaps its a third-party application or perhaps the source code simply isn’t available.
Several vendors including Fortify, Ounce Labs and Veracode can perform byte code analysis. Only one vendor, Veracode, has an offering that can perform true binary analysis. I’ve had several client calls where the client didn’t have access to the source code but didn’t understand the very real differences between the second and third approaches or were confused by vendors claims of performing ‘binary analysis’ when the vendor really only delivered byte code analysis. Depending on what your requirements are, you may only need one (or all) of the above capabilities. Understand the difference before you buy.
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
How to Live Without Mobile Device Management
This webinar addresses the growing trend of users refusing to have enterprise management of their mobile devices due to privacy concerns....
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.