vulnerabilities

PVS-Studio as SAST solution

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also security weaknesses (potential vulnerabilities).

PVS-Studio as SAST solution

by Andrey Karpov

From the article:

Until recently, in our articles we have positioned PVS-Studio as a tool for detecting errors in code. While we almost never regarded PVS-Studio in a security context. We will try to remedy this situation and take a look at the tool in terms of testing of security applications and DevSecOps practices.

For the convenience of specialists who will use PVS-Studio as a SAST tool, the analyzer provides mappings for its warnings to Common Weakness Enumeration, SEI CERT Coding Standards, and also supports MISRA standard (currently in development).

PVS-Studio: searching software weaknesses

As we check Apache HTTP Server, we see bugs crawling everywhere across the code. But wait! These are not just bugs, but security weaknesses!

PVS-Studio: searching software weaknesses

by Andrey Karpov, Phillip Khandeliants

From the article:

PVS-Studio has always been able to detect a large number of various security defects (potential vulnerabilities) in the program code. However, historically, we positioned PVS-Studio as a tool to search for errors. We see a trend in the software development to look for vulnerabilities in the code, although it is just the same. It seems to us that it is high time to do the rebranding of our static analyzer PVS-Studio. We will start with Common Weakness Enumeration (CWE). This article provides a table that shows matches of PVS-Studio diagnostic warnings of with the classifier. The table will be gradually updated and changed, but we can already use the table to write articles about security defects detected in projects. We suppose it would attract more attention of the software security specialists.