# Static Analysis - Some approaches - Automatic testing - Code inspection - Static Analysis combines best of both of the above - SAST = Static Application Security Testing - Rice's Theorem -- Static Analysis can't find all the paths for nontrivial property. - Either over-estimation or under-estimation of behaviors of program. - Sound vs Complete Analysis ## Flow Analysis - Many vulnerabilities are caused by _untrusted inputs_. - Taint Analysis -- from source to sink - Know where the sinks are - Mark user inputs as tainted