SOFTWARE ASSURANCE

Static vs. dynamic code analysis: advantages and disadvantages

What are the advantages and limitations of static and dynamic software code analysis? Maj. Michael Kleffman of the Air Force’s Application Software Assurance Center of Excellence spelled it out.

Static code analysis advantages:

  1. It can find weaknesses in the code at the exact location.
  2. It can be conducted by trained software assurance developers who fully understand the code.
  3. It allows a quicker turn around for fixes.
  4. It is relatively fast if automated tools are used.
  5. Automated tools can scan the entire code base.
  6. Automated tools can provide mitigation recommendations, reducing the research time.
  7. It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.

Static code analysis limitations:

  1. It is time consuming if conducted manually.
  2. Automated tools do not support all programming languages.
  3. Automated tools produce false positives and false negatives.
  4. There are not enough trained personnel to thoroughly conduct static code analysis.
  5. Automated tools can provide a false sense of security that everything is being addressed.
  6. Automated tools only as good as the rules they are using to scan with.
  7. It does not find vulnerabilities introduced in the runtime environment.

Dynamic code analysis advantages:

  1. It identifies vulnerabilities in a runtime environment.
  2. Automated tools provide flexibility on what to scan for.
  3. It allows for analysis of applications in which you do not have access to the actual code.
  4. It identifies vulnerabilities that might have been false negatives in the static code analysis.
  5. It permits you to validate static code analysis findings.
  6. It can be conducted against any application.

Dynamic code analysis limitations:

  1. Automated tools provide a false sense of security that everything is being addressed.
  2. Automated tools produce false positives and false negatives.
  3. Automated tools are only as good as the rules they are using to scan with.
  4. There are not enough trained personnel to thoroughly conduct dynamic code analysis [as with static analysis].
  5. It is more difficult to trace the vulnerability back to the exact location in the code, taking longer to fix the problem.

Reader Comments

Tue, Dec 4, 2012

quite an interesting useful content . Thanks.

Tue, Apr 24, 2012 Stephen

Agree with Bob completely. They should complement each other.

Wed, Nov 9, 2011 ross

Correct. Both should be employed together to overcome shortcomings of each other.

Tue, Feb 10, 2009 bob

I think the premise is wrong with this article. Should not be static vs dynamic. These two analysis methodologies are complementary and should be employed together. Static analysis should actually be incorporated into the developers workstation and inside the IDE. While not all tools and IDEs are supported they're on the way. Implementation is costly but so is rework and being hacked. Building security into the software lifecycle is essential these days. Dynamic analysis can work as a secondary check. Kind of like IV&V. There are even SAAS offerings in the dynamic analysis market space. Either way the tools are worth the money in today’s cyberworld. Especially with high MAC systems. Bottom line--It's not static vs dynamic it’s static and dynamic.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above