7.3 Run Static Code Analysis

Static code analysis is the analysis of computer software that is performed without actually executing programs built from that software. In most cases, the analysis is performed on some version of the source code and in the other cases some form of the object code. The term is usually applied to the analysis performed by an automated tool.

Because SQL injections arise from dynamically generated SQL, it follows that static code analysis tools may find it difficult to identify all categories of SQL injection with some certainty because this may require knowledge of object names and content not available at analysis time. For example, a PL/SQL function might construct a string containing parts of a SQL statement that might then be combined with a malicious table name leading to an injection.

Static code analysis tools should not be used for any kind of security sign off. Instead, it should be one of the initial steps in the code testing process.