Static code analysis algorithms that are dedicated to TCL programming language.Request Trial
Static analysis is performed on the source code of an application without executing it. For this reason, static code analysis has the great advantage that the source code can be in a non-functional state, so it can be directly integrated into the development process and detect security issues as early as possible, when the code is still being written. Furthermore, all issues can be pinpointed to the exact line of code for quick remediation.
ECG transforms the complete source code into abstract layers that are analysed for security vulnerabilities. More precisely, ECG uses taint analysis to analyse the data flow of user input that the application receives across file and function boundaries. The data flow of user input it traced back throughout the entire code base: files, functions, classes and methods. If user input reaches a security sensitive function, (e.g. a SQL query) an attacker could potentially subvert this operation; for this reason, ECG will report a security vulnerability (e.g. a SQL injection vulnerability).
ECG has its analysis algorithms specifically tailored to TCL/ADP programming language, it simulates TCL language-specific features and characteristics in order to generate the most precise and efficient model possible. The outcome is ECG leading code coverage efficient analysis. Static application security testing (SAST) tools should be part of necessary code testing and review processes, so that security issues can be detected and fixed as early as possible. This allows developers and security analysts to leave no stone unturned, ensuring that complex security vulnerabilities does not remain undetected in the source code.
Static application security testing has a major pitfall, the usually high number of false positives generated by the scan. ECG solve the issue (in its SaaS version), having Human Security Analysts checking each reported issues, filtering out false positives for the most accurate analysis possible. With this mixed approach, complex security bugs in the source code will be accurately detected.