This series, and my blog, have moved! Check it out!
This article is about secure code review and static code analysis (SCA), also known as Static Application Security Testing (SAST).
Note: Some people refer to SCA at Static Composition Analysis, in which case they are referring to verifying that your dependencies are not known to be vulnerable. In this article I mean static code analysis.
When application security folks say 'static' analysis, we mean that we will look at written code, as opposed to 'dynamic', which means when your code is running on a web server.
I wasn't sure if I was going to cover this topic, even though I know code review is very important. I personally find code review very difficult; my attention span is short and I can be impatient at times (such as, for example, when I am awake). Code review demands both patience and intense concentration. That said, it's a highly valuable activity which can find a lot of security problems, far before you get to the testing or release stages, potentially saving both time and money.
There are two options for doing code review; manual or with a tool. There are pros and cons to each.