Verification Techniques
Application Security Static Analysis
Automated static analysis tools, both commercial and proprietary, have always been an important part of our hybrid application verification approach. Our hybrid approach to application verification takes strategic advantage of static analysis, to be more efficient and more accurate than any other approach. We tailor our tools to each application and then diagnose, consolidate, and verify all the automatically generated data.
Security focused static analysis examines source or byte code to identify API calls and code paths that are significant or interesting from a security perspective. Some tools provide data flow analysis that searches for entry and exit points in the application and traces the flow of untrusted input through those paths.
Aspect's research labs have developed several different static analysis engines to use on both source code and byte code. These tools build on our extensive database detailing the security properties of the common libraries in use in many enterprises. Leveraging this technology and knowledgebase makes our use of static analysis faster and more accurate.
Our analysts take the data produced by static analysis tools and evaluate it carefully to identify false positives and duplicate findings. In many cases, the exact significance of a data point is unclear without further analysis and understanding of the application's architecture, patterns, and frameworks. This analysis is combined with the other verification techniques and enhanced with risk information to produce a complete and accurate security review.
Aspect has deep experience with virtually all modern software environments and frameworks, including Java, .NET, C/C++, ASP, ColdFusion, Oracle, Struts, Spring, Ajax, RIA, and many more. Even if you didn't develop the code yourself, we are happy to work with your software provider.
Aspect's Standard Verification and Comprehensive Verification both leverage static analysis in addition to code review and manual testing. This hybrid approach allows us to provide the most cost-effective verification solution available anywhere.