Dynamic code analysis vs. static analysis source code testing

Ask the Expert

Dynamic code analysis vs. static analysis source code testing

What is the difference between static code analysis and dynamic code analysis? Is one method preferred over another in terms of security?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
  • By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

  • Safe Harbor

Static and dynamic code analyses are performed during source code reviews. Static code analysis is done without executing any of the code; dynamic code analysis relies on studying how the code behaves during execution.

When performing comprehensive source code reviews, both static and dynamic testing should be performed. Static analysis source code testing is adequate for understanding security issues within program code and can usually pick up about 85% of the flaws in the code.

Dynamic code review has the additional ability to find security issues caused by the code's interaction with other system components like SQL databases, application servers or Web services. (Parameters are sent to back-end servers for processing, which could be modified before returning.) Dynamic code reviews, presented with a wide range of inputs and security tests, will generally pick up about 85% of the flaws present in the code. It's important to note, however, that dynamic code review software has to be able to understand the source code of the program to adequately build a series of correct inputs for test coverage. Combining both types of code review should pick up about 95% of the flaws, provided the reviews are done by someone able to understand the source code during static analysis, and that the range of tests for dynamic analysis is sufficiently wide.

Code analysis in itself produces secure code, but other issues, such as changes within the system build, need to also be considered to produce a secure system. For instance, is PHP installed with safe mode enabled during the code review and disabled in the production environment? Also, other potentially devastating attacks unrelated to flaws within the source code might exist, like system commands embedded within uploaded zip files not being inspected. Therefore, additional testing, such as performing penetration testing in conjunction with validating server configuration, should be performed in concert with source code reviews.

This was first published in September 2010


COMMENTS powered by Disqus  //  Commenting policy