Page 1 of 2
Dynamic analysis is the testing and evaluation of a program by
executing data in real-time. The objective is to find errors in a program while
it is running, rather than by repeatedly examining the code offline.
By debugging a program in
all the scenarios for which it is designed, dynamic analysis eliminates the
need to artificially create situations likely to produce errors. Other
advantages include reducing the cost of testing and maintenance, identifying
and eliminating unnecessary program components, and ensuring that the program
being tested is compatible with other programs.
A daily build and smoke
test (also known as smoke testing) is one type of dynamic analysis.
Static analysis - A family of techniques of program analysis where the
program is not actually executed (as opposed to dynamic analysis), but is
analyzed by tools to produce useful information.
Static analysis techniques
range from the most mundane (statistics on the density of comments, for
instance) to the more complex, semantics-based techniques.
Qualities sought in static
analysis techniques are soundness and completeness.
Application security
increased by static and dynamic code analysis
Integrating security
measures into the software development life cycle (SDLC) is crucial Web
application security. One of these measures is source code analysis, which
includes both static and dynamic analysis.
With increased reliance on
the Web and the growth in Web application-based attacks, Bill Gates' call for
companies to strive for excellence in security engineering at all stages of
development was timely, if not overdue. In an effort to share best practices
for developing secure code, Microsoft released their Security Development
Lifecycle (SDL). SDL subjects products to static and dynamic code analysis to test
for technical and logical vulnerabilities, and determine if products can
withstand malicious attacks. Let's look at the benefits of adding this process
to your application security strategy.
Static analysis involves
reviewing an application's source code without executing the application itself
using automated tools that analyze what the code does during every potential
program execution. This allows the programmers to create diagrammatic or
graphical representations of the code, which gives them a better understanding
of the executed code's effects. It is then necessary to have experienced
developers analyze the results and examine any suspect source code to remove
the coding errors. While program compilers only identify language rule
violations, such as type violations and syntax errors, static analysis checks
the source code for problems such as semantical errors that pass through
compilers and result in problems such as buffer overflow, invalid pointer
references, uninitialized variables and other vulnerabilities.
