Generally, most of audit standards, such as Payment Card Industry-Data Security Standards (PCI-DSS), Health Insurance Portability and Accountability Act (HIPPA), and Gramm-Leach-Bliley Act (GLBA) ask for source code auditing. A source code audit is typically carried out using a source code scanner to identify irregularities or security defects in source codes. In industry, the source code scanners are also referred to as source code analyzers or source code scanning tools. A code segment in a source code may be functionally correct, yet it may be written in a way that the code easily allows security attackers to break-in. Therefore, code authors have a combined responsibility to both write functionally correct code and code that is relatively harder, if not impossible, to break-in by a malicious attacker. While the issue of functional correctness of the code has been much addressed in software testing industry, the issue of secure coding correctness is relatively new
The source code scanning tools scan the source code and identify irregularities present in the source code. In an example, the source code scanners may look for the irregularities such as, misuse of code constructs that easily allows the code to break or fail, design flaws within the source code, absence of logical organization in the source code, missing generics, errors in conditional logic, and issues that come up during execution of the source code. A wide variety of security code defects are known in industry, and standards bodies have reported top-10 or top-35 types of defects list. Source code scanners benchmark themselves by being able to detect known or well-documented source code security breaches. Nowadays, a wide range of the source code scanners are available in market. Therefore, organizations may find it difficult to select a source code scanner that meet requirements of their project, and identify irregularities in the source code accurately.