static code analysis

Overview

Static Code Analysis (SCA) is the process of analyzing the source code to an application without executing the application. The SCA reads in the code and looks for errors and vulnerabilities that exist in the code. Some examples that the analyzer may look for include:

Not initializing variables before use
Known unsafe function calls
Inconsistent interface between modules and components.
Unreachable code or “Dead Code”
Failure to follow standard coding practices
Syntax violations

Why are they asking this?

Failure to use SCA on your source code can leave vulnerabilities in your application undetected.

While SCA may not detect every vulnerability, it will help eliminate the common ones and the easy to exploit ones.

What do they expect?

It is expected that you have a robust software development life cycle (SDLC) that includes static code analysis in addition to other measures to ensure that the code is not vulnerable.

Do you apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software?
Do you perform static code analysis to identify potential security vulnerabilities in the application prior to deployment?
Do you subject your code to static code analysis and/or static application security testing prior to release?
As a part of the development process, has the source code been scanned for vulnerabilities using a third-party static code analysis tool such as Coverity, WebInspect, Veracode, Fortify or BeyondTrust?
Does your company perform internal code/application security scanning using industry standard tools?
Do you employ static or dynamic analysis tools in your development methodology?