In this post, we will review and compare the following four decompilers: Fernflower, CFR, Procyon, and jadx. Disclaimer: this is neither a formal nor a scientific comparison, but rather an overview of all Java bytecode decompilers relevant, as of autumn 2019.
Today, there are two key approaches to searching for vulnerabilities in apps: static and dynamic application security testing, with each having pros and cons. The market is currently inclined to employ both approaches since they solve slightly different tasks and give different results. However, SAST use is restricted in some cases, for example, when source code is unavailable. In this post, we’ll talk about a rather rare but very beneficial technology that combines SAST and DAST advantages — static analysis of executable code.
Recently, we have increasingly heard about the importance of static analysis as a tool for newly developed software quality assurance, especially in terms of security. Static analysis helps discover vulnerabilities and other errors and can be integrated into existing processes and thus used during development. However, this raises many questions. What is the difference between free and commercial tools? Why using a linter is not enough? And what do statistics have to do with it? Let’s see.
Today, vulnerability detection via static analysis is more and more talked of as a mandatory stage in the development process. However, static analysis problems are in the spotlight as well. If you tried any serious tool, you could be scared off by long reports with confusing recommendations, tool configuration difficulties, and false positives. So, is static analysis even needed?
