What You Should Do

If you write native C or C++ code, you should:

* Compile at least once a day with /analyze
* Use SAL to annotate your function prototypes, this will help the static analysis functionality in the compiler find many more bugs.

The following warnings should be analyzed, as they are probably security issues:

6029 6053 6054 6057 6059 6063 6067 6200 6201 6202 6203 6204 6209 6248 6277 6298 6305 6308 6383

Finally, for extra credit, look for the following warnings that are generated by the compiler and not by the static analysis tools:

4700 and 4701

Both of these relate to uninitialized data and to enable these warnings either compile with warning level 4 (/W4), or if you’re not daring enough, use /W3 augmented with the following:

/W3 /WX /we4701/we4700
The SDL Optimization Model and Static Analysis

If you’re following the SDL Optimization model, use of static analysis tools is deemed a requirement for the ‘Advanced’ maturity level.

The SDL Optimization Model and Static Analysis

If you’re following the SDL Optimization model, use of static analysis tools is deemed a requirement for the ‘Advanced’ maturity level.

http://blogs.msdn.com/sdl/archive/2009/07/06/static-analysis-tools-and-the-sdl-part-two.aspx