Static and dynamic code analyses are performed during source code reviews. Static code analysis is done without executing any of the code; dynamic code analysis relies on studying how the code behaves during execution.
When performing comprehensive source code reviews, both static and dynamic testing should be performed. Static analysis source code testing is adequate for understanding security issues within program code and can usually pick up about 85% of the flaws in the code.
Dynamic code review has the additional ability to find security issues caused by the code's interaction with other system components like SQL databases, application servers or Web services. (Parameters are sent to back-end servers for processing, which could be modified before returning.) Dynamic code reviews, presented with a wide range of inputs and security tests, will generally pick up about 85% of the flaws present in the code. It's important to note, however, that dynamic code review software has to be able to understand the source code of the program to adequately build a series of correct inputs for test coverage. Combining both types of code review should pick up about 95% of the flaws, provided the reviews are done by someone able to understand the source code during static analysis, and that the range of tests for dynamic analysis is sufficiently wide.
Code analysis in itself produces secure code, but other issues, such as changes within the system build, need to also be considered to produce a secure system. For instance, is PHP installed with safe mode enabled during the code review and disabled in the production environment? Also, other potentially devastating attacks unrelated to flaws within the source code might exist, like system commands embedded within uploaded zip files not being inspected. Therefore, additional testing, such as performing penetration testing in conjunction with validating server configuration, should be performed in concert with source code reviews.
This was first published in September 2010