Which aspect of application security does static source code analysis primarily focus on?

Static source code analysis is a method used to inspect and analyze the source code of an application without executing it. This approach identifies potential vulnerabilities and weaknesses that could be exploited by attackers. By examining the non-executed portions of the code, static analysis tools can point out issues such as security flaws, coding standards violations, and potential bugs.

This form of analysis is particularly effective in early stages of development, allowing developers to rectify issues before the application is deployed. It helps in uncovering issues like SQL injection points, cross-site scripting vulnerabilities, and buffer overflows, even if those parts of the code have not been executed in a running application.

Other options mentioned focus on aspects that static analysis does not cover. Testing user interfaces pertains to dynamic testing techniques that assess how the user interface behaves during interactions. Performance under heavy load and behavior under real user transactions are also dynamic assessments, where the application is run under specific conditions to evaluate its performance or functionality in real-world scenarios. These aspects are better suited to dynamic analysis methods rather than static source code analysis.