Close this Advertisement

What is your e-mail address?
My e-mail address is:

Do you have a password?
Forgot your password? Click here
close

EmbedEmbed

SOFTWARE ASSURANCE

Static vs. dynamic code analysis: advantages and disadvantages

What are the advantages and limitations of static and dynamic software code analysis? Maj. Michael Kleffman of the Air Force’s Application Software Assurance Center of Excellence spelled it out.

In this report

Software's persistent flaws
A flight plan for safer software
Static vs. dynamic code analysis: advantages and disadvantages
Want safer software? Start with this list

Static code analysis advantages:

  1. It can find weaknesses in the code at the exact location.
  2. It can be conducted by trained software assurance developers who fully understand the code.
  3. It allows a quicker turn around for fixes.
  4. It is relatively fast if automated tools are used.
  5. Automated tools can scan the entire code base.
  6. Automated tools can provide mitigation recommendations, reducing the research time.
  7. It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.

Static code analysis limitations:

  1. It is time consuming if conducted manually.
  2. Automated tools do not support all programming languages.
  3. Automated tools produce false positives and false negatives.
  4. There are not enough trained personnel to thoroughly conduct static code analysis.
  5. Automated tools can provide a false sense of security that everything is being addressed.
  6. Automated tools only as good as the rules they are using to scan with.
  7. It does not find vulnerabilities introduced in the runtime environment.

Dynamic code analysis advantages:

  1. It identifies vulnerabilities in a runtime environment.
  2. Automated tools provide flexibility on what to scan for.
  3. It allows for analysis of applications in which you do not have access to the actual code.
  4. It identifies vulnerabilities that might have been false negatives in the static code analysis.
  5. It permits you to validate static code analysis findings.
  6. It can be conducted against any application.

Dynamic code analysis limitations:

  1. Automated tools provide a false sense of security that everything is being addressed.
  2. Automated tools produce false positives and false negatives.
  3. Automated tools are only as good as the rules they are using to scan with.
  4. There are not enough trained personnel to thoroughly conduct dynamic code analysis [as with static analysis].
  5. It is more difficult to trace the vulnerability back to the exact location in the code, taking longer to fix the problem.

Related Articles

Reader Comments

Tue, Apr 24, 2012 Stephen

Agree with Bob completely. They should complement each other.

Wed, Nov 9, 2011 ross

Correct. Both should be employed together to overcome shortcomings of each other.

Tue, Feb 10, 2009 bob

I think the premise is wrong with this article. Should not be static vs dynamic. These two analysis methodologies are complementary and should be employed together. Static analysis should actually be incorporated into the developers workstation and inside the IDE. While not all tools and IDEs are supported they're on the way. Implementation is costly but so is rework and being hacked. Building security into the software lifecycle is essential these days. Dynamic analysis can work as a secondary check. Kind of like IV&V. There are even SAAS offerings in the dynamic analysis market space. Either way the tools are worth the money in today’s cyberworld. Especially with high MAC systems. Bottom line--It's not static vs dynamic it’s static and dynamic.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above
GCN Awards 2012

Related Podcasts

Related Webcasts

Related White Papers

More Resources

GCN eNewsletters

Editorial Webcasts

  • Cloud Computing: Ushering in the Next Wave of Data Center Consolidation Register Now

    In this webcast, a government IT expert will explore the top considerations, operational requirements and policy challenges inherent to integrating new and legacy applications in the cloud. You will explore the pros and cons of adopting a public vs. private cloud model based on your specific security and operational requirements, as well as how you can fully leverage your cloud investment to achieve efficiency, collaboration and transparency needs. Read more

More Editorial Webcasts