SOFTWARE ASSURANCE

Static vs. dynamic code analysis: advantages and disadvantages

What are the advantages and limitations of static and dynamic software code analysis? Maj. Michael Kleffman of the Air Force’s Application Software Assurance Center of Excellence spelled it out.

Static code analysis advantages:

  1. It can find weaknesses in the code at the exact location.
  2. It can be conducted by trained software assurance developers who fully understand the code.
  3. It allows a quicker turn around for fixes.
  4. It is relatively fast if automated tools are used.
  5. Automated tools can scan the entire code base.
  6. Automated tools can provide mitigation recommendations, reducing the research time.
  7. It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.

Static code analysis limitations:

  1. It is time consuming if conducted manually.
  2. Automated tools do not support all programming languages.
  3. Automated tools produce false positives and false negatives.
  4. There are not enough trained personnel to thoroughly conduct static code analysis.
  5. Automated tools can provide a false sense of security that everything is being addressed.
  6. Automated tools only as good as the rules they are using to scan with.
  7. It does not find vulnerabilities introduced in the runtime environment.

Dynamic code analysis advantages:

  1. It identifies vulnerabilities in a runtime environment.
  2. Automated tools provide flexibility on what to scan for.
  3. It allows for analysis of applications in which you do not have access to the actual code.
  4. It identifies vulnerabilities that might have been false negatives in the static code analysis.
  5. It permits you to validate static code analysis findings.
  6. It can be conducted against any application.

Dynamic code analysis limitations:

  1. Automated tools provide a false sense of security that everything is being addressed.
  2. Automated tools produce false positives and false negatives.
  3. Automated tools are only as good as the rules they are using to scan with.
  4. There are not enough trained personnel to thoroughly conduct dynamic code analysis [as with static analysis].
  5. It is more difficult to trace the vulnerability back to the exact location in the code, taking longer to fix the problem.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • smart city

    Survey: Attacks on smart city IT all but inevitable

Reader Comments

Tue, Dec 1, 2015 husna

I do agree that the static code analysis and dynamic code analysis should be employed together. Basically, the limitations of the static code analysis can be improved by the advantages of the dynamic code analysis, and vice versa. For instance, although static code analysis is able to find error in the code at the exact location and relatively fast, however, it does not find vulnerabilities introduced in the runtime environment. On the other hand, dynamic code does identifies vulnerabilities in a runtime environment but has limitations with the accuracy and speed. By combining both of the code analyses, it allows the program to be run in an environment where the programmer can track the instructions being processed by the program and debug any errors that may arise more efficiently.

Tue, Dec 4, 2012

quite an interesting useful content . Thanks.

Tue, Apr 24, 2012 Stephen

Agree with Bob completely. They should complement each other.

Wed, Nov 9, 2011 ross

Correct. Both should be employed together to overcome shortcomings of each other.

Tue, Feb 10, 2009 bob

I think the premise is wrong with this article. Should not be static vs dynamic. These two analysis methodologies are complementary and should be employed together. Static analysis should actually be incorporated into the developers workstation and inside the IDE. While not all tools and IDEs are supported they're on the way. Implementation is costly but so is rework and being hacked. Building security into the software lifecycle is essential these days. Dynamic analysis can work as a secondary check. Kind of like IV&V. There are even SAAS offerings in the dynamic analysis market space. Either way the tools are worth the money in today’s cyberworld. Especially with high MAC systems. Bottom line--It's not static vs dynamic it’s static and dynamic.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group