Software Analysis is the process of evaluating software systems structure, behavior, and quality. The purpose of software analysis is to identify potential issues, risks, applications to identify potential risks, improve quality and reliability, and ensure compliance with organizational policies and industry regulations.
Software analysis can be performed at various stages of the software development life cycle (SDLC), including during requirements analysis, design, coding, testing, and maintenance. In modern DevSecOps environment, code analysis has galvanized the shift left paradigm.
1.1. Requirements Analysis
Requirements analysis is a crucial phase in the software development life cycle (SDLC) that involves understanding, documenting, and validating the requirements of a software system. The goal is to elicit and analyze user needs and expectations to ensure that the resulting software meets those requirements effectively.
Requirements analysis sets the foundation for the development process, guiding subsequent phases such as design, implementation, and testing. Conducting requirements analysis reduces the risk of scope creep, improves software quality, and delivers a product that meets stakeholder expectations.
Agile is an iterative approach to software development that emphasizes collaboration, continuous improvement, and rapid delivery. It involves breaking down the development process into short iterations, called sprints, and delivering working software at the end of each sprint. Agile methodologies, such as Scrum and Kanban, are widely used in software development.
JAD (Joint Application Development) is a requirements gathering technique that involves intensive collaboration between stakeholders, end-users, and development teams. It is a facilitated process that brings together all the relevant parties to elicit requirements, resolve conflicts, and reach consensus. JAD sessions are typically conducted in a workshop format, with a trained facilitator guiding the process.
MoSCoW is a prioritization technique that helps identify and prioritize requirements based on their importance and urgency. It classifies requirements into four categories: Must-have, Should-have, Could-have, and Won't-have. Must-have requirements are essential and must be implemented in the current release. Should-have requirements are important but not critical. Could-have requirements are desirable but not necessary. Won't-have requirements are explicitly agreed upon not to be included in the current release.
The Kano model helps categorize requirements based on their impact on customer satisfaction. It classifies requirements into five categories: Must-be, One-dimensional, Attractive, Indifferent, and Reverse. Must-be requirements are basic expectations that must be met. One-dimensional requirements directly influence customer satisfaction. Attractive requirements are unexpected features that delight customers. Indifferent requirements have no significant impact, and Reverse requirements may have a negative impact if included.
MVP (Most Valuable Product) is a technique for prioritizing requirements based on their business value. It involves identifying the minimum set of features that will deliver the most value to the customer. The MVP is then used as a starting point for the development process, with additional features added in subsequent releases.
User stories are a technique for capturing functional requirements from an end-user perspective. They are short, simple descriptions of a feature or functionality, written from the user's point of view. User stories are often used in Agile methodologies, such as Scrum and Kanban, to document requirements.
Use cases are a technique for capturing functional requirements from an end-user perspective. They are narrative descriptions of system behavior, describing specific interactions and scenarios in which the software will be used. Use cases are often used in traditional software development methodologies, such as Waterfall and V-Model, to document requirements.
Components and Features
Elicitation
This involves gathering requirements from stakeholders, including end-users, customers, and other relevant parties.
Techniques:
Interviews: One-on-one or group interviews with stakeholders are conducted to gather their perspectives, insights, and requirements. It allows for in-depth discussions, clarifications, and follow-up questions to understand their needs and expectations.
Questionnaires and Surveys: Questionnaires and surveys are useful for collecting a large amount of information from a wide range of stakeholders. They can be distributed electronically or in print format and enable stakeholders to provide their requirements in a structured manner.
Workshops and Focus Groups: These interactive sessions involve bringing together multiple stakeholders to collaborate, brainstorm, and discuss requirements. Workshops foster open communication, knowledge sharing, and consensus building among participants.
Observation: Observing users in their natural work environment can provide valuable insights into their tasks, workflows, and pain points. This technique helps in understanding the context of use and identifying requirements that might not be explicitly expressed by stakeholders.
Document Analysis: Analyzing existing documentation such as user manuals, business process documents, and system specifications can provide insights into current requirements or serve as a starting point for requirements gathering.
Use Cases and User Stories: Use cases and user stories are narrative descriptions of system behavior from an end-user perspective. They help capture functional requirements by describing specific interactions and scenarios in which the software will be used.
Ethnographic Studies: Ethnographic studies involve immersing analysts in the environment where the software will be used, enabling them to understand the users' needs, behaviors, and cultural context. This technique is particularly useful for gathering requirements in complex or specialized domains.
Brainstorming: Brainstorming sessions encourage creative thinking and idea generation. Participants freely share their requirements, ideas, and suggestions, fostering a collaborative environment that can lead to innovative solutions.
Protocols: Structured sessions involve intensive collaboration between stakeholders, end-users, and development teams to elicit requirements, resolve conflicts, and reach consensus in a facilitated environment. Techniques such as JAD (Joint Application Development) and JAR (Joint Application Requirements) are used to conduct these sessions.
Requirements Documentation
Once the requirements are elicited, they need to be documented in a clear and structured manner. This typically involves creating artifacts such as requirement documents, use cases, user stories, and process models. The documentation should capture functional requirements (what the software should do) as well as non-functional requirements (performance, security, usability, etc.). Techniques such as Agile based User Stories and Waterfall based Use Cases are used to document functional requirements. While Non-functional Requirements (NFRs) are documented using techniques such as Quality Attribute Workshops (QAWs) and Quality Scenarios.
Analysis and Prioritization
The elicited requirements are then analyzed to identify any conflicts, inconsistencies, or missing information. It is important to ensure that the requirements are complete, consistent, and feasible. Techniques for requirements prioritization are MVP, MoSCoW, and Kano Model.
Validation and Verification
Requirements validation ensures that the documented requirements accurately reflect the stakeholders needs. Verification involves reviewing the requirements for clarity, correctness, and feasibility.
Techniques:
Reviews and Inspections: These techniques involve systematic examination of software artifacts, such as requirements documents, design specifications, source code, and test cases, to identify errors, inconsistencies, and quality issues. Reviews and inspections can be conducted by a team of stakeholders, developers, or independent reviewers.
Walkthroughs: In a walkthrough, the software artifacts are presented to stakeholders or subject matter experts who provide feedback and identify potential issues. It is a collaborative process where the presenter explains the software and receives input and suggestions for improvement.
Prototyping: Prototyping involves building a simplified or partial version of the software system to validate and refine the requirements. Users and stakeholders can interact with the prototype to provide feedback on its functionality, usability, and design, helping to refine and validate the requirements.
1.2. Static Analysis
Static analysis is a software analysis technique that examines software artifacts, such as source code, design documents, or models, without executing the program. It analyzes the structure, syntax, and semantics of the code to identify potential issues, vulnerabilities, and quality concerns.
NOTE Static analysis has limitations and may generate false positives or miss certain types of issues. Static analysis should be used in conjunction with other testing and analysis techniques to achieve a comprehensive assessment of software quality.
Software design principles are fundamental concepts and guidelines that help developers create well-designed, maintainable, and scalable software systems. These principles serve as a foundation for making informed design decisions and improving the quality of software.
An abstract syntax tree (AST) is a tree representation of the abstract syntactic structure of source code. It is generated by parsing the source code and represents the code's structure, including statements, expressions, and operators. ASTs are often used in static analysis tools to analyze the code and identify potential issues.
A control flow graph (CFG) is a directed graph that represents the control flow of a program. It is generated by analyzing the program's abstract syntax tree (AST) and represents the program's control flow, including statements, expressions, and operators. CFGs are often used in static analysis tools to analyze the code and identify potential issues.
Data flow analysis is a technique for gathering information about the possible values of variables and expressions at various points in the program's execution. It involves analyzing the data flow through the program to identify potential issues, such as uninitialized variables, null pointer dereferences, or memory leaks.
Control flow analysis is a technique for gathering information about the possible control flow paths through a program. It involves analyzing the control flow through the program to identify potential issues, such as dead code, infinite loops, or unreachable code.
Abstract interpretation is a technique for analyzing the behavior of a program by approximating its semantics. It involves analyzing the program's abstract syntax tree (AST) to identify potential issues, such as type errors, null pointer dereferences, or memory leaks.
A type system is a set of rules that assigns a type to each program construct, such as variables, expressions, and functions. It defines the operations that can be performed on each type and ensures that the program is type-safe. Static analysis tools often use type systems to identify potential type errors, such as type mismatches, type conversions, or type casts.
Type safety is a property of a programming language that ensures that the program is type-safe. It involves analyzing the program's abstract syntax tree (AST) to identify potential issues, such as type errors, null pointer dereferences, or memory leaks.
Linters are static analysis tools that analyze source code to identify and flag potential programming errors, coding standards violations, and other types of quality issues. They can be used to enforce coding standards, improve code quality, and ensure adherence to best practices.
Components and Features
Compliance and Standards Enforcement
Static analysis can enforce coding standards and industry best practices by flagging violations during the analysis process. It helps ensure that the code adheres to specific coding guidelines, naming conventions, and other standards defined by the organization or industry.
1.2.1. Linters
A linter is a static analysis tool that analyzes source code to identify and flag potential programming errors, coding standards violations, and other types of quality issues. It can be used to enforce coding standards, improve code quality, and ensure adherence to best practices.
SonarQube is an open-source platform for static code analysis. It supports a wide range of programming languages, including Java, C/C++, C#, JavaScript, TypeScript, Python, Ruby, Go, and PHP.
CodeQL is a semantic code analysis engine that can be used to analyze source code for potential security vulnerabilities. It supports a wide range of programming languages, including Java, C/C++, C#, JavaScript, TypeScript, Python, Ruby, Go, and PHP.
Dynamic analysis is a software analysis technique that involves executing the software system to observe its behavior. It can be used to validate the software against specified requirements, identify bugs, memory leaks, and evaluate performance characteristics.
Unit testing is a type of software testing that focuses on testing individual units or components of a software system. It involves designing and executing test cases to exercise the software and observe its behavior. By comparing the actual results with expected outcomes, unit testing helps identify bugs, logic errors, and functional issues.
Fuzz testing, also known as fuzzing, is a dynamic analysis technique that involves providing invalid, unexpected, or random inputs to a software system. The goal is to trigger unexpected behavior, such as crashes, hangs, or memory leaks, and identify potential defects or vulnerabilities.
DAST (Dynamic Application Security Testing) is a type of software testing that focuses on identifying and addressing security vulnerabilities and weaknesses in an application. The goal of DAST is to ensure that an application is secure from potential attacks and threats, such as data breaches, unauthorized access, or theft.
Techniques:
Penetration Testing, also known as ethical hacking, involves simulating real-world attacks to assess the security vulnerabilities of the software system. Skilled security professionals attempt to exploit weaknesses and gain unauthorized access to the system.
Vulnerability Scanning is a security analysis technique that involves scanning the software system for known security vulnerabilities and weaknesses. This includes using automated tools to identify common vulnerabilities, such as outdated software versions, misconfigurations, weak authentication mechanisms, or inadequate access controls.
Profiling is a dynamic analysis technique that involves collecting runtime data, such as method execution times, memory usage, and resource utilization, to identify potential performance bottlenecks, memory leaks, and inefficient algorithms.
Sanitizers are dynamic analysis tools that detect bugs such as buffer overflows or accesses, dangling pointers or different types of undefined behavior at runtime and prevent security vulnerabilities in C/C++ code.
Components and Features
Performance Analysis
Dynamic analysis techniques, such as profiling, are used to evaluate the performance characteristics of a software system. Profiling tools collect runtime data, such as method execution times, memory usage, and resource utilization, to identify performance bottlenecks, memory leaks, and inefficient algorithms. This information helps optimize the software for better efficiency and resource management.
Code Coverage
Dynamic analysis can determine the extent to which the code is exercised during testing. Code coverage analysis measures the percentage of code statements, branches, or paths that are executed during testing. It helps assess the thoroughness of testing and identifies areas of the code that have not been adequately tested, potentially indicating gaps in test coverage.
1.4. Security Analysis
Security analysis is a software analysis technique that involves identifying and addressing security vulnerabilities and weaknesses in a software system. Security analysis ensures that the software is secure from potential attacks and threats, such as data breaches, unauthorized access, or theft.
Conventions and Standards
Security by Design
Security by Design is a set of principles and practices that aim to integrate security into every stage of the software development lifecycle. It involves designing and building software with security in mind, rather than adding security as an afterthought. Security by Design helps organizations reduce the risk of security issues and improve the overall security of their software.
Application Security Testing (AST) is a type of software testing that focuses on identifying and addressing security vulnerabilities and weaknesses in an application. The goal of application security testing is to ensure that an application is secure from potential attacks and threats, such as data breaches, unauthorized access, or theft.
Static Application Security Testing (SAST) is a type of software testing that focuses on identifying and addressing security vulnerabilities and weaknesses in the source code. It involves analyzing the source code to identify potential security issues, such as SQL injections, Cross-Site Scripting (XSS), and insecure authentication mechanisms.
Dynamic Application Security Testing (DAST) is a type of software testing that focuses on identifying and addressing security vulnerabilities and weaknesses in an application. It involves analyzing the running application to identify potential security issues, such as SQL injections, Cross-Site Scripting (XSS), and insecure authentication mechanisms.
Penetration testing, also known as ethical hacking, involves simulating real-world attacks to assess the security vulnerabilities of the software system. Skilled security professionals attempt to exploit weaknesses and gain unauthorized access to the system.
The OWASP Top 10 is a list of the top 10 most critical security risks for web applications. It is maintained by the Open Web Application Security Project (OWASP) and is used by organizations to identify and address security vulnerabilities in their web applications.
The CERT Secure Coding Standards are a set of coding standards for developing secure software. They are maintained by the Software Engineering Institute (SEI) at Carnegie Mellon University and are used by organizations to identify and address security vulnerabilities in their software.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that governs the collection, storage, and use of personal data. It applies to all organizations that process personal data of EU residents, regardless of where the organization is located. The GDPR requires organizations to implement appropriate security measures to protect personal data and ensure compliance with the regulation.
Vulnerability Scanning is a security analysis technique that involves scanning the software system for known security vulnerabilities and weaknesses. This includes using automated tools to identify common vulnerabilities, such as outdated software versions, misconfigurations, weak authentication mechanisms, or inadequate access controls.
SQL injections are a type of security vulnerability that allows an attacker to execute arbitrary SQL queries on the database. They can be used to extract sensitive information, modify data, or perform other malicious actions. Error-based injections exploit error messages, Boolean-based injections rely on true/false conditions, and Time-based injections introduce delays to infer information.
XPath Injections
XPath injections are a type of security vulnerability that allows an attacker to execute arbitrary XPath queries on the XML database. Malicious XPath expressions are injected to manipulate XML queries.
XXE (Xml External Entity) Injection
Exploiting vulnerabilities in XML parsers to disclose internal files, execute remote code, or perform other malicious actions.
CRLF Injection
Detecting vulnerabilities related to Carriage Return Line Feed (CRLF) characters, which can be exploited for various attacks like HTTP response splitting.
XSS (Cross-Site Scripting)
A type of injection attack where malicious scripts are injected into trusted websites. Attackers exploit security flaws in web applications that accept user input without proper validation or sanitization. The injected script, giving the attacker access to sensitive information, session hijacking capabilities, or even redirecting users to malicious websites.
Reflected XSS: Malicious script is directly reflected back to the user (e.g. in a search query).
Stored XSS: Malicious script is stored on the server and displayed to other users later (e.g. in a forum comment).
XSSI (Cross-Site Script Inclusion): An attacker injects external scripts instead of directly writing the malicious code.
XSRF (Cross-Site Request Forgery): An attack where an attacker tricks a user into unknowingly performing an action on a trusted website (e.g. by using Fetch Metadata policies).
File Disclosure Detection (Local and Remote Include, Require, Fopen, Readfile)
Detecting vulnerabilities that may expose sensitive files on the server through functions like include, require, fopen, and readfile.
Identifying potential security risks related to the execution of arbitrary commands on the server through functions like eval(), system(), and passthru().
Search for Potentially Dangerous Files on the Server
Utilizing the Nikto database (Nikto DB) to search for files or configurations that might pose security risks.
Bypass of Weak .htaccess Configurations
Identifying and exploiting weaknesses in the .htaccess file, which is used to configure settings for Apache web servers.
Search for Copies (Backup) of Scripts on the Server
Identifying backup copies of scripts on the server, which might be vulnerable or reveal sensitive information.
Shellshock
Detecting the Shellshock vulnerability, a critical security flaw in the Bash shell.
Folder and File Enumeration
Enumerating folders and files on the server such as DirBuster, which may reveal sensitive information or lead to other vulnerabilities.
Server Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send arbitrary HTTP requests from the server. It can be used to access internal resources, such as databases or files, or perform other malicious actions with tools such as Wapiti.
CSRF (Cross Site Request Forgery)
Cross-Site Request Forgery (CSRF) is a type of security vulnerability that allows an attacker to perform unauthorized actions on behalf of a victim user. It can be used to steal sensitive information, hijack user sessions, or perform other malicious actions.
Open Redirects
Identifying and exploiting open redirects, which allow an attacker to redirect users to malicious websites.
Detection of Uncommon HTTP Methods
Identifying uncommon HTTP methods, such as PUT, TRACE and TRACK, which may be used to exploit vulnerabilities in web servers.
Basic CSP Evaluator
Identifying potential security risks related to the Content Security Policy (CSP) header, which is used to prevent Cross-Site Scripting (XSS) attacks by controlling which resources can be loaded.
Brute Force Login Form (Using a Dictionary List)
Identifying potential security risks related to weak passwords by brute-forcing login by systematically trying different username and password combinations forms using a Dictionary List.
Checking HTTP Security Headers
Verifying that HTTP security headers, such as Strict-Transport-Security and Content-Security-Policy, are configured correctly to prevent common attacks, such as Cross-Site Scripting (XSS), Clickjacking, and MIME sniffing.
Checking Cookie Security Flags
Verifying that cookies are configured correctly with the Secure and HttpOnly Flags to prevent common attacks, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and session hijacking.
Web Application Fingerprinting
Identifying the technologies used by a web application, such as Content Management Systems (CMS), Web Frameworks, JavaScript Libraries, and Web Servers using the Wappalyzer Database.
Enumeration of WordPress and Drupal
Identifying the installed modules or plugins in WordPress and Drupal instances, which may be vulnerable to known security issues.
Detection of Subdomain Takeovers Vulnerabilities
Identifying potential security risks related to subdomain takeovers, which allow an attacker to take control of a subdomain and redirect users to malicious websites.
Identifying potential security risks related to the Log4Shell vulnerability, a critical security flaw in the Apache Log4j library.
TLS Misconfiguration and Vulnerabilities
Identifying potential security risks related to TLS misconfigurations, such as weak ciphers, insecure renegotiation, and certificate validation issues using SSLyze.
1.4.1. Scanners
Scanners is a security analysis tool that can be used to identify security vulnerabilities in a software system to detect common vulnerabilities, such as SQL Injection, Cross-Site Scripting (XSS), and insecure authentication mechanisms.
Scanning is a software analysis technique that involves scanning the software system for known security vulnerabilities and weaknesses. This includes using automated tools to identify common vulnerabilities, such as outdated software versions, misconfigurations, weak authentication mechanisms, inadequate access controls, and remove or correct malicious or potentially dangerous content from data inputs, such as user-generated input in a web application.
Veracode is a cloud-based application security testing platform form type of SAST and DAST. It offers Static Analysis, Dynamic Analysis, and Software Composition Analysis (SCA) to identify and remediate security vulnerabilities in applications.
SSLyze is an open-source tool that can be used to identify security vulnerabilities in SSL/TLS implementations. It can be used to detect common vulnerabilities, such as weak ciphers, insecure renegotiation, and certificate validation issues.
Nikto is an open-source web application security scanner that can be used to identify security vulnerabilities in web applications.
DirBuster
DirBuster is an open-source tool that can be used to identify hidden files and directories on a web server. It performs a brute force attack on directories and filenames on the web application.
Wappalyzer is an open-source tool that can be used to identify the technologies used by a web application, such as Content Management Systems (CMS), Web Frameworks, JavaScript Libraries, and Web Servers.
HTMLPurifier
A PHP library that removes malicious code from HTML input, including XSS attacks and other types of malicious content.
OWASP Java Encoder
A Java library that provides a comprehensive set of functions for encoding and escaping user input to prevent XSS attacks.
Input Sanitizer
A JavaScript library that provides a simple and flexible API for sanitizing user input to prevent XSS attacks.
Anti-Samy
An XML and XHTML sanitizer that removes malicious code from user input and ensures that the output is secure and well-formed.
XSS-Sanitizer
A Python library that provides a simple API for sanitizing user input to prevent XSS attacks.
Ruby Sanitizer
A Ruby library that provides a simple API for sanitizing user input, including functions for removing malicious code, encoding special characters, and removing dangerous attributes.
sqlmap
An open-source tool that automates the process of identifying and exploiting SQL Injection vulnerabilities in web applications.
OWASP Zed Attack Proxy (ZAP) is an open-source web application security scanner that can be used to identify security vulnerabilities in web applications. OWASP ZAP is an open-source DAST tool used for finding vulnerabilities in web applications during runtime. It's particularly known for its effectiveness in manual testing.
Wapiti is an open-source web application security scanner that can be used to identify security vulnerabilities in web applications. Wapiti has a comprehensive list of security checks and can be used to detect common vulnerabilities, such as SQL Injection, Cross-Site Scripting (XSS), and insecure authentication mechanisms.
Acunetix is a commercial web application security scanner that can be used to identify security vulnerabilities in web applications. It performs black-box and grey-box testing.
Burp Suite is a commercial web application security scanner that can be used to identify security vulnerabilities in web applications. Burp Suite is a set of tools for DAST of web applications. It includes functions such as scanning, crawling, and intruder for identifying security issues.
OpenVAS is an open-source vulnerability scanner that can be used to identify security vulnerabilities in web applications.
1.5. Quality Analysis
Cuality analysis is a software analysis technique that involves assessing the quality of the code to ensure that it is readable, maintainable, and extensible. It helps identify potential issues, such as coding violations, code smells, and anti-patterns, and provides insights for improving the code quality.
Quality analysis focuses on evaluating the quality of the source code of a software system. It involves assessing various aspects of the code, such as its structure, readability, maintainability, adherence to coding standards, and potential for defects. The objective of code quality analysis is to identify coding issues, improve the quality of the codebase, and facilitate long-term maintainability and extensibility.
Software metrics are quantitative measures of a software system's characteristics. They provide insights into the quality of the code and help identify areas for improvement. Common software metrics include code complexity, code coverage, cyclomatic complexity, and code duplication.
Software design principles are fundamental concepts and guidelines that help developers create well-designed, maintainable, and scalable software systems. These principles serve as a foundation for making informed design decisions and improving the quality of software.
SonarQube is an open-source platform for static code analysis. It supports a wide range of programming languages, including Java, C/C++, C#, JavaScript, TypeScript, Python, Ruby, Go, and PHP. It provides continuous inspection of for code quality to measures code complexity, detects bugs, and enforces coding standards.
CodeQL is a semantic code analysis engine that can be used to analyze source code for potential security vulnerabilities. It supports a wide range of programming languages, including Java, C/C++, C#, JavaScript, TypeScript, Python, Ruby, Go, and PHP.
PMD is an open-source static code analysis tool that can be used to identify potential common programming flaws like unused variables, empty catch blocks, code duplication, and overcomplicated expressions in Java, JavaScript, and Apex code.
CPD is a tool that can be used to detect code duplication in Java, C, C++, C#, Groovy, PHP, Ruby, Fortran, JavaScript, PLSQL, Apache Velocity, Scala, Objective C, Matlab, Python, Go, and Apex code.
JaCoCo
A Java Code Coverage Library that provides a comprehensive report of the code coverage during the testing phase.
McCabe Complexity Checke
A tool specifically designed to calculate McCabe cyclomatic complexity in source code files.
Simian (Similarity Analyser)
A tool that identifies duplication in Java, C#, C, XML, and more.
Components and Features
Code Complexity
Code quality analysis assesses the complexity of the code to identify areas that might be difficult to understand, test, or maintain. Code complexity metrics, such as cyclomatic complexity or nesting depth, provide quantitative measures of code complexity. High complexity can indicate a higher likelihood of bugs and decreased maintainability. By identifying complex code sections, developers can refactor or simplify them for better code quality.
Code Smells and Anti-patterns
Code quality analysis helps identify code smells, which are indicators of potential design or implementation issues. Code smells include duplicated code, long methods, excessive dependencies, and improper use of language features. Detecting code smells helps in refactoring the code to improve its readability, maintainability, and extensibility. It also helps avoid anti-patterns, which are common but ineffective or harmful coding practices.
Unused Code and Dead Code
Code quality analysis identifies unused code or dead code, which refers to code segments that are not executed or have no impact on the program's behavior. Removing unused or dead code helps reduce code clutter, improve performance, and enhance maintainability.
Dependencies and Coupling
Code quality analysis examines the dependencies and coupling between code modules. High coupling and excessive dependencies can lead to code fragility and difficulties in making changes or enhancements. By analyzing the code for tight coupling and excessive dependencies, developers can identify areas where code modularization or decoupling is required.
2. Terminology
Static Analysis
Examining the code without executing it. This includes code reviews and using tools to analyze the code structure, identify potential issues, and ensure compliance with coding standards.
Dynamic Analysis
Analyzing the software while it is running. This involves testing, profiling, and monitoring the behavior of the software to understand its performance, memory usage, and potential runtime errors.
Code Review
A systematic examination of code by one or more individuals to find and fix mistakes and improve the overall quality of the software.
Testing
The process of executing a program with the intent of finding errors or verifying that it behaves as expected. Types of testing include unit testing, integration testing, and system testing.
Code Smell
Indications in the source code that there might be a problem. This doesn't necessarily mean there's a bug, but it could suggest areas that need closer inspection.
Refactoring
Restructuring existing computer code without changing its external behavior. This is done to improve nonfunctional attributes of the software, making it easier to understand and maintain.
Reverse Engineering
Analyzing a system to understand its design and implementation, often for the purpose of redesigning or re-implementing it.
Performance Analysis
Evaluating the efficiency of a software application, identifying bottlenecks, and optimizing code and algorithms for better performance.
Security Analysis
Evaluating a system's security to identify vulnerabilities and weaknesses that could be exploited by attackers.
Dependency Analysis
Examining the relationships between different components/modules in a software system to understand dependencies and potential points of failure.
Traceability Matrix
A document that links requirements to test cases, ensuring that all requirements are covered by tests and providing a way to trace the impact of changes.
Software Analysis
Software Analysis is the process of evaluating software systems structure, behavior, and quality. The purpose of software analysis is to identify potential issues, risks, applications to identify potential risks, improve quality and reliability, and ensure compliance with organizational policies and industry regulations.
1. Category
Software analysis can be performed at various stages of the software development life cycle (SDLC), including during requirements analysis, design, coding, testing, and maintenance. In modern DevSecOps environment, code analysis has galvanized the shift left paradigm.
1.1. Requirements Analysis
Requirements analysis is a crucial phase in the software development life cycle (SDLC) that involves understanding, documenting, and validating the requirements of a software system. The goal is to elicit and analyze user needs and expectations to ensure that the resulting software meets those requirements effectively.
Requirements analysis sets the foundation for the development process, guiding subsequent phases such as design, implementation, and testing. Conducting requirements analysis reduces the risk of scope creep, improves software quality, and delivers a product that meets stakeholder expectations.
Conventions and Standards
Agile
JAD
Tools and Frameworks
MoSCoW
Kano Model
MVP
User Stories
Use Cases
Components and Features
Elicitation
Requirements Documentation
Analysis and Prioritization
Validation and Verification
1.2. Static Analysis
Static analysis is a software analysis technique that examines software artifacts, such as source code, design documents, or models, without executing the program. It analyzes the structure, syntax, and semantics of the code to identify potential issues, vulnerabilities, and quality concerns.
Conventions and Standards
Software Design Principles
Abstract Syntax Tree (AST)
Control Flow Graph (CFG)
Data Flow Analysis
Control Flow Analysis (CFA)
Abstract Interpretation
Type System
Type Safety
Tools and Frameworks
Components and Features
1.2.1. Linters
A linter is a static analysis tool that analyzes source code to identify and flag potential programming errors, coding standards violations, and other types of quality issues. It can be used to enforce coding standards, improve code quality, and ensure adherence to best practices.
Tools and Frameworks
SonarQube
CodeQL
ESLint
Pylint
RuboCop
Clang-Tidy
Clang-Format
Prettier
JSHint
golangci-lint
Flake8
CSSLint
detect-secrets
1.3. Dynamic Analysis
Dynamic analysis is a software analysis technique that involves executing the software system to observe its behavior. It can be used to validate the software against specified requirements, identify bugs, memory leaks, and evaluate performance characteristics.
Conventions and Standards
Unit Testing
Fuzz Testing
DAST
Profiling
Debugging
Tools and Frameworks
Components and Features
Performance Analysis
Code Coverage
1.4. Security Analysis
Security analysis is a software analysis technique that involves identifying and addressing security vulnerabilities and weaknesses in a software system. Security analysis ensures that the software is secure from potential attacks and threats, such as data breaches, unauthorized access, or theft.
Conventions and Standards
Security by Design
Application Security Testing (AST)
Penetration Testing
OWASP Top 10
CERT Secure Coding Standards
General Data Protection Regulation (GDPR)
Tools and Frameworks
Components and Features
SQL Injections (Error-based, Boolean-based, Time-based)
XPath Injections
XXE (Xml External Entity) Injection
CRLF Injection
XSS (Cross-Site Scripting)
File Disclosure Detection (Local and Remote Include, Require, Fopen, Readfile)
Command Execution Detection (eval(), system(), passtru())
Search for Potentially Dangerous Files on the Server
Bypass of Weak
.htaccessConfigurationsSearch for Copies (Backup) of Scripts on the Server
Shellshock
Folder and File Enumeration
SSRF (Server Side Request Forgery)
CSRF (Cross Site Request Forgery)
Open Redirects
Detection of Uncommon HTTP Methods
Basic CSP Evaluator
Brute Force Login Form (Using a Dictionary List)
Checking HTTP Security Headers
Checking Cookie Security Flags
Web Application Fingerprinting
Enumeration of WordPress and Drupal
Detection of Subdomain Takeovers Vulnerabilities
Log4Shell Vulnerability Detection CVE-2021-44228
TLS Misconfiguration and Vulnerabilities
1.4.1. Scanners
Scanners is a security analysis tool that can be used to identify security vulnerabilities in a software system to detect common vulnerabilities, such as SQL Injection, Cross-Site Scripting (XSS), and insecure authentication mechanisms.
Scanning is a software analysis technique that involves scanning the software system for known security vulnerabilities and weaknesses. This includes using automated tools to identify common vulnerabilities, such as outdated software versions, misconfigurations, weak authentication mechanisms, inadequate access controls, and remove or correct malicious or potentially dangerous content from data inputs, such as user-generated input in a web application.
Tools and Frameworks
Veracode
SSLyze
Nikto
DirBuster
Wappalyzer
HTMLPurifier
OWASP Java Encoder
Input Sanitizer
Anti-Samy
XSS-Sanitizer
Ruby Sanitizer
sqlmap
OWASP Zed Attack Proxy (ZAP)
Arachni
Wapiti
Skipfish
Invicti
Acunetix
Burp Suite
OpenVAS
1.5. Quality Analysis
Cuality analysis is a software analysis technique that involves assessing the quality of the code to ensure that it is readable, maintainable, and extensible. It helps identify potential issues, such as coding violations, code smells, and anti-patterns, and provides insights for improving the code quality.
Quality analysis focuses on evaluating the quality of the source code of a software system. It involves assessing various aspects of the code, such as its structure, readability, maintainability, adherence to coding standards, and potential for defects. The objective of code quality analysis is to identify coding issues, improve the quality of the codebase, and facilitate long-term maintainability and extensibility.
Conventions and Standards
Software Metrics
Software Design Principles
Tools and Frameworks
SonarQube
CodeQL
PMD
CPD
JaCoCo
McCabe Complexity Checke
Simian (Similarity Analyser)
Components and Features
Code Complexity
Code Smells and Anti-patterns
Unused Code and Dead Code
Dependencies and Coupling
2. Terminology
Static Analysis
Dynamic Analysis
Code Review
Testing
Code Smell
Refactoring
Reverse Engineering
Performance Analysis
Security Analysis
Dependency Analysis
Traceability Matrix