Dev: Static vs Dynamic Code Analysis
Static Code Analysis
Static analysis involves checking the source code without executing it. That means it focuses on the internal structure than on the functional aspect of the code. It is normally performed in a non-runtime environment i.e. it is not done when the program is running.
Static analysis involves checking the source code, byte code or application binaries for any possible susceptibilities. While performing this test, application data and control paths are created and then checked for any security weaknesses.
Dynamic Code Analysis
Dynamic code analysis – also called Dynamic Application Security Testing (DAST) – is designed to test a running application for potentially exploitable vulnerabilities. DAST tools to identify both compile time and runtime vulnerabilities, such as configuration errors that only appear within a realistic execution environment.
| Static Analysis | Dynamic Analysis |
| Done at the initial stage before execution | It is done at a later stage during execution |
| Done at a non-runtime | Done in runtime |
| Internal observation of the structure | External observation of performance |
| Focuses on Structural aspects | Focuses on functional aspects |
| Application data and control paths are created to check vulnerabilities | A simulated attack is mounted on the program to check how it responds and then susceptibilities are identified |
| As the name suggests, it is a fixed approach with decided parameters | As the name suggests, it is dynamic in nature and largely depends on challenges faced during execution |
No comments: