Choosing the Right Static Code Analyzers Based on Hard Data

Explore the world of static code analysis in this 40-minute OWASP Foundation conference talk. Learn about different types of static analyzers, their benefits for improving code quality and security, and how to choose the right tools based on empirical data. Discover the Kampar project, which aims to provide comprehensive information about software analyzers. Delve into key considerations such as process integration, analyzer requirements, speed, scalability, and reporting capabilities. Examine the limitations of static analyzers in terms of weakness coverage and result quality. Gain insights into future challenges and opportunities for contributing to the field of static code analysis.

About the speaker
Outline of today's talk
What is this static analysis
What types of issues can static analysis find?
Using analyzers improves code quality & security
Build Kampar into a source of information about software analyzers, beginning with static tools
Basic information
Process integration
When & where will the analyzer run?
What inputs does the analyzer require?
Speed & scalability
Reporting
3. Coverage
Static analyzers have limited weakness coverage
5. Results quality
Challenges ahead
Make a contribution