Gartner Blog Network

Byte Code Analysis is not the Same as Binary Analysis

by Neil MacDonald  |  July 24, 2009  |  5 Comments

I’ve posted many times on the importance of application security. Recently, my colleague Joseph Feiman and I published a magic quadrant for static application security testing tools – rating the vendors and tools that analyze an application from the “inside out” looking for coding conditions indicative of a security vulnerability. In the research we describe the three primary ways to perform static analysis:

  • analysis of the source code
  • analysis of the byte code of an interpreted language like Java or .NET
  • analysis of the raw binaries of a compiled application (such as a C++ application)

The latter two are important if you don’t have the source code of the original application to analyze. For example, perhaps its a third-party application or perhaps the source code simply isn’t available.

Several vendors including Fortify, Ounce Labs and Veracode can perform byte code analysis. Only one vendor, Veracode, has an offering that can perform true binary analysis. I’ve had several client calls where the client didn’t have access to the source code but didn’t understand the very real differences between the second and third approaches or were confused by vendors claims of performing ‘binary analysis’ when the vendor really only delivered byte code analysis. Depending on what your requirements are, you may only need one (or all) of the above capabilities. Understand the difference before you buy.

Category: application-security  

Tags: application-security  application-security-testing-tools  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Byte Code Analysis is not the Same as Binary Analysis

  1. […] analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, […]

  2. jenni says:

    Amazing blog post!

  3. […] perform static analysis: analysis of the source code analysis of the byte code of an interpreted la click for more var _wh = ((document.location.protocol==’https:’) ? “” : […]

  4. Andrew says:

    I’d be curious to know if most applications written in Java and .NET are delivered in bytecode form or in binary form. I may be wrong but I understand most Java applications are delivered in bytecode (and mostly obfuscated) form. If this is the case, then it’s less of a question of bytecode versus binary analysis. Clearly for C/C++ and similar code, it’s a question of source versus binary where there are clear advantages and disadvantages depending upon if you are a vendor, user or auditor of the software.

  5. Neil MacDonald says:

    Andrew – yes – agree that most Java and .NET applications are delivered as byte code, so if you don’t have access to the source code, a solution that can analyze byte code may be all you need – *if* all you need to scan are Java and .NET applications.

    However, some organizations still will have native C/C++ compiled applications as well as Java and .NET applications that call out to native binary code.

    As I said in the post, understand the differences between these types of static analysis solutions and understand what your needs really are. My first preference would be to work from source code all the time, but that isn’t always possible…

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.