What is the difference between static analysis and dynamic analysis?

Question

---

What is the difference between static analysis and dynamic analysis in terms of cyber security?

Answer 1

Both are types of software testing that are looking for un-unintended security vulnerabilities. As such they are separate from the unit or system testing which is focused on verifying expected outcomes or requirements

Static analysis (SAST) works at the code level. It is code scanning and looks for patterns of know vulnerabilities or poor coding practice. For instance scanning code to discover the use of insecure libraries.

Dynamic analysis (DAST) works at the compiled system level. It scans built systems looking for known vulnerabilities. For instance, scanning a web application via its front end to find cross-site scripting vulnerabilities.

Both are generally used during the SDLC pre-release. SAST tends to be to the left of DAST and can pick up issues earlier, however, neither are fully effective at picking up all issues, and both are also prone to false positives.

Answer 2

Static analysis means "read the source code and try to identify failures". For security, static analysis tools try to find security holes in the code, which are then presumably fixed before the code is released for production use.

Dynamic analysis means "watch the actual execution of the application to identify failures (e.g, deref null pointers, array access past the end of an array, re-use of dynamically allocated block without first freeing it, ...". Done during application development and debugging, it can find errors which are then presumably fixed before the code is released for production. Done during production execution, it may detect errors the software is about to make, and prevent those errors (e.g., don't actually do the deref, report an application error instead), at the price of considerably higher execution costs because of the intrusive nature of dynamic analysis.

Each has different strengths and weaknesses. Both techniques suffer from the Turing-induced inability to reason about software activities completely. Most of these tools have failings where they miss problems, or report problems that are not real. Usually these tools try to avoid reporting false positives, because people won't use tools the produce lots of such errors. Limiting the false positives tends to limit reporting of real errors too, so you can't be sure that a clean report means "no problems".