The National Security Agency's Center for Assured Software (CAS) researches tools and techniques that can be used throughout the development lifecycle to evaluate and improve the assurance of software and to avoid and eliminate exploitable vulnerabilities. Over the past two years, the CAS has extensively and scientifically studied commercial and open source static analysis tools for C, C++, and Java. The purpose of this research is to determine the strengths and limitations of modern static analysis tools with respect to the flaws they identify, the flaws they miss, and the false positives they report.
This presentation will describe the CAS's most recent study of commonly used static analysis tools and include details on the test cases, methodology, and analysis techniques used. It will cover the study's conclusions, aggregate results, and trending information from previous studies, and also provide guidance for those using or considering static analysis tools.