Static code analysis finds avoidable errors

At the Source

Virtue out of Necessity

If you want to get used to a thorough and clean programming style, going with Splint is undoubtedly a good idea – you will be in good company. Developers who also want to investigate every false positive thoroughly will find RATS a helpful companion.

In all cases, the results are important: enforcing quality assurance; rethinking and relearning from the constant, unyielding criticism of the check tools; and ensuring low-security-risk software. OpenBSD shows that static code analysis, reviews, and coding standards can make secure programming a reality, as evidenced by just two remotely exploitable security vulnerabilities in 20 years.


  1. Anderson, James P. Computer Security Technology Planning Study. Bedford (MA): Deputy for Command and Management Systems HQ Electronic Systems Division (AFSC), Technical Report ESD-TR-73-51, Vol. II, October 1972,
  2. "NT Web Technology Vulnerabilities" by rain.forest.puppy, Phrack Magazine , volume 8, issue 54, December 25, 1998, article 8,
  3. "Embedded Coding Standard" by Barr Group:
  4. Uncrustify:
  5. JSLint:
  6. JavaScript tutorials:
  7. JavaScript strings:
  8. CC BY-SA 3.0:
  9. Splint:
  10. Hoare, C.A.R. An axiomatic basis for computer programming. Communications of the ACM , 1969;12(10):576-583,
  11. RATS:
  12. Coverity Static Application Security Testing (SAST):
  13. Coverity Scan:

The Author

Dr. Tobias Eggendorfer is a professor of IT security and a freelance IT consultant ( When he teaches IT forensics, his students moan from time to time, because long-forgotten knowledge from basic lectures suddenly becomes important again, which is exactly what makes IT forensics and security so exciting.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • From debugging to exploiting
    Kernel and compiler security techniques, together with sound programming practices, fend off memory corruption exploits.
  • Kernel and driver development for the Linux kernel
    The /proc filesystem facilitates the exchange of current data between the system and user. To access the data, you simply read and write to a file. This mechanism is the first step for understanding kernel programming. ü
  • Tuning I/O Patterns in Python

    In the third article of this three-part series, we look at simple write examples in Python and track the output with strace to see how it affects I/O patterns and performance.

  • New features in PHP 7.3
    The new PHP 7.3 simplifies string handling, supports PCRE version 2, adds LDAP controls, improves logging, and deprecates some features, functions, and syntax elements.
  • Tuning I/O Patterns in C

    The language you choose to use affects I/O patterns and performance. We track a simple write I/O pattern with C and look at how to improve performance.

comments powered by Disqus