Webinar Recap | Applying Static Code Analysis To The SDLC

29 Jul 2021 Webinar

In the webinar on July 29, Dr. Li Long, chief scientist of Xcalibyte, gave an explanation of static code analysis and how to apply it to the SDLC. In addition, he also discussed the challenges faced by static code analysis tools.

Static Code Analysis is also known as Static Application Security Testing (SAST). It is a set of technologies designed to analyze application source code, byte code, and binaries to identify defects and vulnerabilities. When SAST is applied in SDLC, there are two different usage scenarios: standalone and CI/CD.

Although standalone and CI/CD approaches are not the same, the two do not conflict. Some simple checks such as syntax and coding standards can be processed locally by the developer. If it is a code check that needs to interact with other modules, it needs to be submitted to the CI/CD process to make the process more convenient and efficient.

Although SAST can bring many benefits and efficiencies, there are still some limitations. One of the biggest challenges is that many static code analysis tools currently on the market consume a lot of time and memory and have many false positives. The result can be far from the expectations of developers.

The static code analysis tool Xcalscan of Xcalibyte has the following advantages:

– Advanced complier-based technology (OPEN64 compiler)

– Analysis on the Intermediate Representation layer

– Utilizes a ‘No-False’ Negative targeted analysis approach

– On-demand analysis

– Symbolic evaluation


Some questions asked include:

Q1. What is the difference between SAST and dynamic scanning DAST or IAST?

SAST performs analysis without execution. Dynamic Application Security Testing (DAST) identifies issues during the actual execution through dynamic code execution. Interactive Application Secutiy Testing (IAST) uses a combination of static and dynamic testing to identify defects in applications.

Q2. What code specifications and vulnerability libraries can be scanned by Xcalscan?

In addition to some third-party specifications such as CERT and OWASP, Xcalscan can also support customer-defined rules for scanning.

Watch the video below to see the Webinar in full. Note, that the webinar is in Chinese.

Download the full presentation.


Find out more about how Xcalscan helps developers

identify hard to find bugs or contact us for a demo.