I’ve posted many times on the importance of application security. Recently, my colleague Joseph Feiman and I published a magic quadrant for static application security testing tools – rating the vendors and tools that analyze an application from the “inside out” looking for coding conditions indicative of a security vulnerability. In the research we describe the three primary ways to perform static analysis:
- analysis of the source code
- analysis of the byte code of an interpreted language like Java or .NET
- analysis of the raw binaries of a compiled application (such as a C++ application)
The latter two are important if you don’t have the source code of the original application to analyze. For example, perhaps its a third-party application or perhaps the source code simply isn’t available.
Several vendors including Fortify, Ounce Labs and Veracode can perform byte code analysis. Only one vendor, Veracode, has an offering that can perform true binary analysis. I’ve had several client calls where the client didn’t have access to the source code but didn’t understand the very real differences between the second and third approaches or were confused by vendors claims of performing ‘binary analysis’ when the vendor really only delivered byte code analysis. Depending on what your requirements are, you may only need one (or all) of the above capabilities. Understand the difference before you buy.