- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Static analysis (also known as static code analysis and source code analysis) uses tools to review program code, searching for application coding flaws, back doors, or other malicious code that could give hackers access to critical company data or customer information. In some cases, the analysis is performed on some version of the source code; in the other cases, it is performed on some form of the object code. When static analysis scans source or object code, it is evaluating the security and functioning of software when a program is not running, generally early in the development lifecycle. Static analysis is typically performed by an automated tool.
Static code analysis is performed early in development (before software unit testing) which enables potential bugs in code to be discovered before entering production. In turn, this speeds up the overall process as it becomes easier and less costly for developers to fix problems early on in the DevOps lifecycle.
The main difference between static analysis and dynamic analysis lies in when defects are found in the development lifecycle. Static analysis identifies defects between coding and unit testing, without any code execution. Dynamic analysis identifies defects during unit testing and examines how code behaves during execution.
Speed - Using automated tools is much faster in comparison to manual analysis and allows problems to be addressed early on at a lower cost.
Depth – Static analysis tools are able to provide in-depth code analysis as the developers work on their build, while providing insight on where there may be potential problems.
Accuracy – Unlike manual code reviews which are prone to human error, automated tools scan every line of code to identify potential issues, which helps to maintain secure code in before testing begins.
Static Analysis tools often have difficulty identifying unexpected issues that may arise during runtime.
Since misconfigurations are a major source of vulnerabilities, static analysis alone is not sufficient to guarantee application security.
In the case of applications that dynamically load third-party libraries from static code, dynamic analysis becomes the more feasible approach to ensuring security.
Static analysis tools may produce false positives/negatives in the results due to their reliance on abstract models and representations of program data flows and logic, along with their inability to understand developer intent within given coding contexts.
The best approach to ensuring security of the application is to combine both static and dynamic code analysis in the SDLC. This enables the best of both worlds – static analysis can improve overall code and software quality by eliminating many issues before runtime, while dynamic analysis finds errors at runtime and vulnerabilities that could not be detected using static methods.