{"id":412,"date":"2015-04-07T00:00:00","date_gmt":"2015-04-07T00:00:00","guid":{"rendered":"http:\/\/www.scmgalaxy.com\/tutorials\/2015\/04\/07\/static-vs-dynamic-code-analysis-advantages-and-disadvantages\/"},"modified":"2017-12-21T07:31:54","modified_gmt":"2017-12-21T07:31:54","slug":"static-vs-dynamic-code-analysis-advantages-and-disadvantages","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/static-vs-dynamic-code-analysis-advantages-and-disadvantages\/","title":{"rendered":"Static vs dynamic code analysis: Advantages and Disadvantages"},"content":{"rendered":"

\"static-vs-dynamic-code-analysis-advantages-and-disadvantages\"<\/p>\n

What are the advantages and limitations of static and dynamic software code analysis? Maj. Michael Kleffman of the Air Force\u2019s Application Software Assurance Center of Excellence spelled it out.<\/p>\n

Static code analysis advantages:<\/strong><\/p>\n

    \n
  1. It can find weaknesses in the code at the exact location.<\/li>\n
  2. It can be conducted by trained software assurance developers who fully understand the code.<\/li>\n
  3. It allows a quicker turn around for fixes.<\/li>\n
  4. It is relatively fast if automated tools are used.<\/li>\n
  5. Automated tools can scan the entire code base.<\/li>\n
  6. Automated tools can provide mitigation recommendations, reducing the research time.<\/li>\n
  7. It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.<\/li>\n<\/ol>\n

    Static code analysis limitations:<\/strong><\/p>\n

      \n
    1. It is time consuming if conducted manually.<\/li>\n
    2. Automated tools do not support all programming languages.<\/li>\n
    3. Automated tools produce false positives and false negatives.<\/li>\n
    4. There are not enough trained personnel to thoroughly conduct static code analysis.<\/li>\n
    5. Automated tools can provide a false sense of security that everything is being addressed.<\/li>\n
    6. Automated tools only as good as the rules they are using to scan with.<\/li>\n
    7. It does not find vulnerabilities introduced in the runtime environment.<\/li>\n<\/ol>\n

      Dynamic code analysis advantages:<\/strong><\/p>\n

        \n
      1. It identifies vulnerabilities in a runtime environment.<\/li>\n
      2. Automated tools provide flexibility on what to scan for.<\/li>\n
      3. It allows for analysis of applications in which you do not have access to the actual code.<\/li>\n
      4. It identifies vulnerabilities that might have been false negatives in the static code analysis.<\/li>\n
      5. It permits you to validate static code analysis findings.<\/li>\n
      6. It can be conducted against any application.<\/li>\n<\/ol>\n

        Dynamic code analysis limitations:<\/strong><\/p>\n

          \n
        1. Automated tools provide a false sense of security that everything is being addressed.<\/li>\n
        2. Automated tools produce false positives and false negatives.<\/li>\n
        3. Automated tools are only as good as the rules they are using to scan with.<\/li>\n
        4. There are not enough trained personnel to thoroughly conduct dynamic code analysis [as with static analysis].<\/li>\n
        5. It is more difficult to trace the vulnerability back to the exact location in the code, taking longer to fix the problem.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

          What are the advantages and limitations of static and dynamic software code analysis? Maj. Michael Kleffman of the Air Force\u2019s Application Software Assurance Center of Excellence spelled… <\/p>\n","protected":false},"author":1,"featured_media":3485,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[62],"tags":[1729,1733,1732,517,957,1003,784,492,1730,1731,1721,1722,1090,1723,1728,670],"class_list":["post-412","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-code-analysis","tag-advantages","tag-advantages-of-dynamic-code-analysis","tag-advantages-of-static-code-analysis","tag-analysis","tag-benefits","tag-code","tag-code-analysis","tag-difference","tag-disadvantages","tag-drawbacks","tag-dynamic","tag-dynamic-code-analysis","tag-static","tag-static-code-analysis","tag-static-vs-dynamic","tag-what"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=412"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/412\/revisions"}],"predecessor-version":[{"id":3487,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/412\/revisions\/3487"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media\/3485"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}