Static Code Analysis Tools
By yuanlin on May 28, 2006
New.com recently has an article on companies making comercial static code analysis tools for checking security flaws.
Companies and products to watch:
- Microsoft (PREfast - a presentation and Static Driver Verifier)
- @Stake (acquired by Symantec)
- Coverity (from Stanford)
- Ounce Labs
Most of them use context sensitive, interprocedural, cross module, and mixed language analysis. A major difference between the analysis used in static error detection and the one used in compiler optimization is that the former can be incomplete and unsound.
Here is a link to a site that lists a collection of static analysis tools for C code.