Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Byte Code Analysis is not the Same as Binary Analysis

by Neil MacDonald  |  July 24, 2009  |  5 Comments

I’ve posted many times on the importance of application security. Recently, my colleague Joseph Feiman and I published a magic quadrant for static application security testing tools – rating the vendors and tools that analyze an application from the “inside out” looking for coding conditions indicative of a security vulnerability. In the research we describe the three primary ways to perform static analysis:

  • analysis of the source code
  • analysis of the byte code of an interpreted language like Java or .NET
  • analysis of the raw binaries of a compiled application (such as a C++ application)

The latter two are important if you don’t have the source code of the original application to analyze. For example, perhaps its a third-party application or perhaps the source code simply isn’t available.

Several vendors including Fortify, Ounce Labs and Veracode can perform byte code analysis. Only one vendor, Veracode, has an offering that can perform true binary analysis. I’ve had several client calls where the client didn’t have access to the source code but didn’t understand the very real differences between the second and third approaches or were confused by vendors claims of performing ‘binary analysis’ when the vendor really only delivered byte code analysis. Depending on what your requirements are, you may only need one (or all) of the above capabilities. Understand the difference before you buy.

5 Comments »

Category: Application Security     Tags: ,

5 responses so far ↓

  • 1 Zero in a bit » Bytecode Analysis is not the same as Binary Analysis   July 27, 2009 at 9:01 am

    [...] analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, [...]

  • 2 jenni   July 27, 2009 at 11:35 am

    Amazing blog post!

  • 3 Byte Code Analysis is not the Same as Binary Analysis   July 28, 2009 at 9:08 am

    [...] perform static analysis: analysis of the source code analysis of the byte code of an interpreted la click for more var _wh = ((document.location.protocol==’https:’) ? “https://sec1.woopra.com” : [...]

  • 4 Andrew   July 28, 2009 at 9:39 am

    I’d be curious to know if most applications written in Java and .NET are delivered in bytecode form or in binary form. I may be wrong but I understand most Java applications are delivered in bytecode (and mostly obfuscated) form. If this is the case, then it’s less of a question of bytecode versus binary analysis. Clearly for C/C++ and similar code, it’s a question of source versus binary where there are clear advantages and disadvantages depending upon if you are a vendor, user or auditor of the software.

  • 5 Neil MacDonald   July 28, 2009 at 9:47 am

    Andrew – yes – agree that most Java and .NET applications are delivered as byte code, so if you don’t have access to the source code, a solution that can analyze byte code may be all you need – *if* all you need to scan are Java and .NET applications.

    However, some organizations still will have native C/C++ compiled applications as well as Java and .NET applications that call out to native binary code.

    As I said in the post, understand the differences between these types of static analysis solutions and understand what your needs really are. My first preference would be to work from source code all the time, but that isn’t always possible…