I’ve posted many times on the importance of application security. Recently, my colleague Joseph Feiman and I published a magic quadrant for static application security testing tools – rating the vendors and tools that analyze an application from the “inside out” looking for coding conditions indicative of a security vulnerability. In the research we describe the three primary ways to perform static analysis:
- analysis of the source code
- analysis of the byte code of an interpreted language like Java or .NET
- analysis of the raw binaries of a compiled application (such as a C++ application)
The latter two are important if you don’t have the source code of the original application to analyze. For example, perhaps its a third-party application or perhaps the source code simply isn’t available.
Several vendors including Fortify, Ounce Labs and Veracode can perform byte code analysis. Only one vendor, Veracode, has an offering that can perform true binary analysis. I’ve had several client calls where the client didn’t have access to the source code but didn’t understand the very real differences between the second and third approaches or were confused by vendors claims of performing ‘binary analysis’ when the vendor really only delivered byte code analysis. Depending on what your requirements are, you may only need one (or all) of the above capabilities. Understand the difference before you buy.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.