Compilers and Static Code Analyzers have a lot in common. In fact, Fortify SCA internally leverages open source compilers in the first stage of the analysis for several languages (e.g. Java, Kotlin). The key difference is what happens after the initial parsing and resolution stages. Compilers would then proceed to output binary or byte-code, where Static Code Analyzers will run multiple analysis algorithms on the data to find security vulnerabilities. Compilers may be doing some quality checking as part of their process (e.g. warning for unused variables or similar bad-practices), but they don't do the type of security analysis that static analysis tools do.
00:59 my background 03:17 Static analysis 04:50 weaknesses, vulnerabilities 08:34 SAST, DAST
Sorry for the late reply, but thanks for your helpful comment.
Awesome video with great explanations. Look forward to the upcoming series!
Thanks! We're trying to add some AppSec intro material to go along with our more technical content.
Great video guys! Very informative and comprehensive explanation and comparison.
We appreciate the feedback and glad you found it informative!
Excellent video. Will you be having Hans Enders to provide an overview of WebInspect?
He doesn't know it yet, but that's a great idea.
Very great explanation. Thank you.
Glad it was helpful!
Thank You Sir for this video.
Can you show me difference between Compiler and Static Code Analysis?
Compilers and Static Code Analyzers have a lot in common. In fact, Fortify SCA internally leverages open source compilers in the first stage of the analysis for several languages (e.g. Java, Kotlin). The key difference is what happens after the initial parsing and resolution stages. Compilers would then proceed to output binary or byte-code, where Static Code Analyzers will run multiple analysis algorithms on the data to find security vulnerabilities. Compilers may be doing some quality checking as part of their process (e.g. warning for unused variables or similar bad-practices), but they don't do the type of security analysis that static analysis tools do.