Dynamic analysis is the testing and evaluation of a program by
executing data in real-time. The objective is to find errors in a program while
it is running, rather than by repeatedly examining the code offline.
By debugging a program in
all the scenarios for which it is designed, dynamic analysis eliminates the
need to artificially create situations likely to produce errors. Other
advantages include reducing the cost of testing and maintenance, identifying
and eliminating unnecessary program components, and ensuring that the program
being tested is compatible with other programs.
A daily build and smoke
test (also known as smoke testing) is one type of dynamic analysis.
Static analysis - A family of techniques of program analysis where the
program is not actually executed (as opposed to dynamic analysis), but is
analyzed by tools to produce useful information.
Static analysis techniques
range from the most mundane (statistics on the density of comments, for
instance) to the more complex, semantics-based techniques.
Qualities sought in static
analysis techniques are soundness and completeness.
Application security
increased by static and dynamic code analysis
Integrating security
measures into the software development life cycle (SDLC) is crucial Web
application security. One of these measures is source code analysis, which
includes both static and dynamic analysis.
With increased reliance on
the Web and the growth in Web application-based attacks, Bill Gates' call for
companies to strive for excellence in security engineering at all stages of
development was timely, if not overdue. In an effort to share best practices
for developing secure code, Microsoft released their Security Development
Lifecycle (SDL). SDL subjects products to static and dynamic code analysis to test
for technical and logical vulnerabilities, and determine if products can
withstand malicious attacks. Let's look at the benefits of adding this process
to your application security strategy.
Static analysis involves
reviewing an application's source code without executing the application itself
using automated tools that analyze what the code does during every potential
program execution. This allows the programmers to create diagrammatic or
graphical representations of the code, which gives them a better understanding
of the executed code's effects. It is then necessary to have experienced
developers analyze the results and examine any suspect source code to remove
the coding errors. While program compilers only identify language rule
violations, such as type violations and syntax errors, static analysis checks
the source code for problems such as semantical errors that pass through
compilers and result in problems such as buffer overflow, invalid pointer
references, uninitialized variables and other vulnerabilities.
However, some problems are
difficult to foresee during static analysis. Interaction of multiple functions
can generate unanticipated errors, which only become apparent during component-level
integration, system integration or deployment. Therefore, once the software is
functionally complete, dynamic analysis should be performed. Dynamic analysis
reveals how the application behaves when executed, and how it interacts with
other processes and the operating system itself. While static analysis can find
errors early in the software development life cycle, dynamic analysis tests the
code in real-life attack scenarios.
Finding and fixing
programming errors can be time consuming, but it is worth it. In fact, Gartner
pegs the cost of removing security vulnerabilities during testing to be less
than 2% of the cost of removing it from a production system. To help you
streamline this process, there are numerous code analysis tools available -- many
of which are free.If you use Microsoft's development environments, Microsoft
offers several free code analysis tools, such as PREfix, PREfast and FxCop.
While including static and
dynamic code analysis in an application security strategy can reduce the risk
of vulnerabilities making it into the final version, the following can help you
improve the overall quality and security of your applications as well:
1. Develop and implement an
application security life cycle. Having an application security life cycle in
place can reduce the cost of eradicating vulnerabilities and make your efforts
more effective. For example, Microsoft found that using their SDL has significantly reduced the rate
of external discovery of security vulnerabilities.
2. Move your security
assessment phase into the development phase. Many developers have found that
doing so actually reduces overall application development times.
3. Repeat the security
assessment process when the business logic in the application changes. This is
necessary to evaluate the impacts of any changes on overall application
security.
Subscribe to this comment's feed
