Dynamic and Static Analysis are two types of code security tests. Both of these are used while checking the source code. A static code review does not need the execution of the code while a dynamic code analysis is mainly dependent on how well the code performs during execution. Normally both the methods are used while extensively reviewing source codes.
To understand and observe how well these tests workout, it is necessary for any company to pay close attention to details
Image result for dynamic code analysis vs static code analysis
What is Static Code Analysis?
Static analysis involves checking the source code without executing it. That means it focuses on the internal structure than on the functional aspect of the code. It is normally performed in a non-runtime environment i.e. it is not done when the program is running.
Static analysis involves checking the source code, byte code or application binaries for any possible susceptibilities. While performing this test, application data and control paths are created and then checked for any security weaknesses.
Benefits and Limitations of Static Analysis
Benefits
1) Locates the exact area of error in coding.
2) Grants ample time for some quick fixes.
3) It locates the issues at an early stage.
4) Detects certain unique defects like variable use, uncalled functions or unreachable codes.
5) It is conducted by trained developers who have a complete understanding of the code or using an automated code review tools like Codegrip.
Limitations
1) Takes a lot of time if done manually.
2) A paucity of trained persons makes it difficult to perform.
3) Cannot locate issues faced in the runtime environment.
What is Dynamic Code Analysis?
A dynamic analysis is an exact opposite; it is done in a runtime environment. Thus it looks and studies the source code from the outside. It involves manipulating the running state to discover what the possible security vulnerabilities are. It mounts a simulated attack on the application or program and observes how it reacts.
Both of these tests are many times viewed to be conflicting to each other, but for an integrated code review, both are equally important to be performed.
Benefits and Limitations of Dynamic Analysis
Benefits
1) Locates vulnerabilities in the runtime environment.
2) Helps in validating Static analysis’s findings.
3) Allows analyzing programs without having access to the actual code.
4) Identifies susceptibilities that might be shown as false negatives in static analysis.
5) It can be conducted against any application.
Limitations
1) No guarantee of full test coverage of source code.
2) It becomes difficult to go back and trace the vulnerabilities back to its original location.
3) It needs a longer timeframe to put in the fixes.
Let us now quickly see the main differences between these two tests:
Static Analysis Dynamic Analysis
Done at the initial stage before execution
It is done at a later stage during execution
Done at a non-runtime
Done in runtime
Internal observation of the structure
External observation of performance
Focuses on Structural aspects
Focuses on functional aspects
Application data and control paths are created to check vulnerabilities
A simulated attack is mounted on the program to check how it responds and then susceptibilities are identified
As the name suggests, it is a fixed approach with decided parameters
As the name suggests, it is dynamic in nature and largely depends on challenges faced during execution
