Whether to use static or dynamic source code analysis is a long-running, ongoing open question. IT professionals use both methods for application debugging and security, a crucial facet of software quality.
Static source code analysis reveals vulnerable points in a codebase or application design. Static code analysis examines or models code to uncover security vulnerabilities without executing the code itself. This approach presumes that the structure of source code determines potential issues in the application.
Dynamic source code analysis evaluates applications from the outside, as they execute. This method is a way to examine the inputs and outputs of application components to determine what might alter its operating state.
Code review can rely on static or dynamic code analysis — or both, simultaneously. All applications that provide any form of external interface offer an attack surface, and plugging those gaps is an increasing problem as componentization and cloud computing increase the threat level.
What static code analysis is good for
Static source code analysis presumes that a given application component has a predictable set of interfaces and properties that a programming professional or suitable tool can examine or model to discover security gaps. It’s possible to perform static analysis on individual components, both in isolation and at any stage in development. Thus, static code analysis is usually more effective in finding security vulnerabilities than the dynamic approach.
Modern software development techniques that create well-documented APIs and well-defined workflows tend to facilitate static code analysis. The more structured the code relationships (workflows), the easier they are to model or analyze, especially when static code analysis is integrated into project code review practices during the development cycle.
However, not everything goes according to plan. Don’t assume the only vulnerabilities stem from design shortcomings. It’s possible, for example, for vulnerabilities to exist that aren’t an expected part of an API or open data element. Many vulnerabilities occur because of mistakes that enable an attacker to exploit the components in a way the development team did not foresee. Static code analysis efforts can fall into a trap of making the same assumptions as those made during development, without the ability to account for unexpected issues.
What dynamic code analysis is good for
Dynamic source code analysis finds accidental vulnerabilities in development or integration techniques. IT professionals perform dynamic code analysis on running software and look for signals that an outside agent can compromise the codebase. Thus, the application security method mirrors the way that applications actually work.
Dynamic code analysis looks at all of the actual behaviors of a system, not just the expected behaviors. However, it’s difficult to do meaningful dynamic code analysis without assembling and running the entire application. Accordingly, programmers can’t apply dynamic code analysis early in development, as they won’t have behaviors to examine.
Dynamic code analysis might not be able to assess all possible execution paths if the test design or selected tools are lacking; a missed path means an incomplete analysis.
Finally, dynamic code analysis is best handled as a part of a broader QA strategy. The organization should adopt and emphasize dynamic source code analysis throughout the SDLC; otherwise, it won’t see the benefits of the approach.
How to use source code analysis tools
Static and dynamic code analysis tools are a popular means to improve application security. These tools are better than manual analysis because of the variable set of development practices that occur in the real world. Rather than perform static code analysis manually, an organization should model the application work and control flows, then analyze code for vulnerabilities. Similarly, the organization could manually examine and introduce test data for dynamic code analysis, but a source code analysis tool eases this effort. However, even source code analysis tools have their issues.
Static and dynamic code analysis tools on the market tend to be specialized by programming language, especially the former. Tools exist that work primarily at the website level, meaning they focus on HTML and related languages. There are also tools designed for programming languages like C, C++ and Java. If the development team uses a wide and variable set of programming languages, it might be difficult to put together a single toolkit for code analysis. Any form of source code analysis would be hard to apply and sustain without restricting programming choices.
In a CI/CD pipeline, it’s difficult to practice dynamic code analysis because of a lack of a stable executable program to test. The only place for dynamic code analysis is at deployment, where fixing a defect could stall the whole pipeline.
Neither static nor dynamic code analysis is better than the other. The best approach likely depends on the development models in use within the organization. The best approach may be to use them together. As a general rule, choose a tool or toolkit that supports both static and dynamic code analysis, and harmonizes well with other development tools in use.