 |
 |
 |
STATIC & DYNAMIC ANALYSIS
Static analysis involves going through the code in order to find out any possible defect in the code. Dynamic analysis involves executing the code and analyzing the output.
It's important to know the difference so you can understand the capabilities of different security analysis tools. In the past, most web and network application security scanners used dynamic analysis, while general purpose tools used static analysis. However, both forms of analysis have their advantages and disadvantages, so an increasing number of tools use static and dynamic techniques.
Static analysis tools parse and analyze the source code without running it. Type checking is a familiar form of static analysis. Static analysis tools typically perform a conservative and sound analysis, that
is, since the tools don't run the program, their results need to be generalizable across any executions. This limits what static analysis tools can tell you and means that they will produce false positives.
Static analysis tools take a long time to run, so they typically approximate program behavior to run faster, which introduces the possibilty of false negatives.
Dynamic analysis tools execute the program and observe its behavior over a number of runs. The advantage is that you don't have to abstract or approximate as static analysis tools do; you know exactly which control paths the program followed and what data was used. Dynamic tools are as
fast as your program execution. However, the disadvantage of dynamic analysis is the problem of determining whether the input you used and the executions you observed are generalizable to all possible inputs and executions.
Both forms of analysis are useful. Each form of analysis observes a different set of program executions, limited by approximations (static analysis) or by the input set (dynamic analysis.) Dynamic analysis tools have to worry more about false negatives, while static analysis tools have to worry more about false positives. Dynamic analysis is fast, while static analysis is slow (and more accurate if it runs longer.) However, it's often easier to introduce static analysis early in the development cycle. Some organizations introduce a fast static analysis as an automatic step in compilation or source code checkin, while using a longer, more in depth static analysis for security.
Static analysis involves going through the code in order to find out any possible defect in the code. Dynamic analysis involves executing the code and analyzing the output.
It's important to know the difference so you can understand the capabilities of different security analysis tools. In the past, most web and network application security scanners used dynamic analysis, while general purpose tools used static analysis. However, both forms of analysis have their advantages and disadvantages, so an increasing number of tools use static and dynamic techniques.
Static analysis tools parse and analyze the source code without running it. Type checking is a familiar form of static analysis. Static analysis tools typically perform a conservative and sound analysis, that
is, since the tools don't run the program, their results need to be generalizable across any executions. This limits what static analysis tools can tell you and means that they will produce false positives.
Static analysis tools take a long time to run, so they typically approximate program behavior to run faster, which introduces the possibilty of false negatives.
Dynamic analysis tools execute the program and observe its behavior over a number of runs. The advantage is that you don't have to abstract or approximate as static analysis tools do; you know exactly which control paths the program followed and what data was used. Dynamic tools are as
fast as your program execution. However, the disadvantage of dynamic analysis is the problem of determining whether the input you used and the executions you observed are generalizable to all possible inputs and executions.
Both forms of analysis are useful. Each form of analysis observes a different set of program executions, limited by approximations (static analysis) or by the input set (dynamic analysis.) Dynamic analysis tools have to worry more about false negatives, while static analysis tools have to worry more about false positives. Dynamic analysis is fast, while static analysis is slow (and more accurate if it runs longer.) However, it's often easier to introduce static analysis early in the development cycle. Some organizations introduce a fast static analysis as an automatic step in compilation or source code checkin, while using a longer, more in depth static analysis for security.
| ■ | Load Testing |
| ■ | Stress Testing |
| ■ | Domain Testing |
| ■ | Exploratory Testing |
| ■ | Recovery Testing |
| ■ | User Acceptance Testing |
| ■ | Alpha Testing |
| ■ | Beta Testing |
| ■ | Unit Testing |
| ■ | Static & Dynamic Analysis Testing |
| ■ | Functional Testing |
| ■ | Ad-hoc Testing |
| ■ | Volume Testing |
Related Links :
Static & Dyamic Analysis Testing