Getting security right requires understanding what can go wrong. By looking at a multitude of past security problems, we know that small coding errors can have a big impact on security. Often these problems are not related to any security feature, and there is no way to solve them by adding or altering security features. Techniques such as defensive programming that are aimed at creating more reliable software dont solve the security problem, and neither does more extensive software testing or penetration testing.
Achieving good software security requires taking security into account throughout the software development lifecycle. Different security methodologies emphasize different process steps, but all methodologies agree on one point: Developers need to examine source code to identify security-relevant defects. Static analysis can help identify problems that are visible in the code.
"Secure Programming With Static Analysis" learn more