Managing vulnerabilities involves a wide array of security testing, including both dynamic and static source code analysis. So what is the difference between static code analysis and dynamic code analysis? Is one method preferred over another in terms of security and performance?
Static and dynamic code analyses are performed during source code reviews. Static code analysis is done without executing any of the code; dynamic code analysis relies on studying how the code behaves during execution.
When performing comprehensive source code reviews, both static and dynamic testing should be performed. Static analysis source code testing is adequate for understanding security issues within program code and can usually pick up about 85% of the flaws in the code.
Dynamic code review has the additional ability to find security issues caused by the code’s interaction with other system components like SQL databases, application servers or Web services. (Parameters are sent to back-end servers for processing, which could be modified before returning.)
- Your Title Goes Here 85%
Dynamic code reviews, presented with a wide range of inputs and security tests, will generally pick up about 85% of the flaws present in the code. It’s important to note, however, that dynamic code review software has to be able to understand the source code of the program to adequately build a series of correct inputs for test coverage.
- Your Title Goes Here 95%
Combining both types of code review should pick up about 95% of the flaws, provided the reviews are done by someone able to understand the source code during static analysis, and that the range of tests for dynamic analysis is sufficiently wide.
Code analysis in itself produces secure code, but other issues, such as changes within the system build, need to also be considered to produce a secure system.
Potentially devastating attacks unrelated to flaws within the source code might exist. Therefore, additional testing, such as performing penetration testing in conjunction with validating server configuration, should be performed in concert with source code reviews.