Dynamic code analysis is also called Dynamic Application Security Testing (DAST). DAST is the process of analyzing an application through the running of the application and sending data to it via inputs and simulated clicks and the outputs collected, and compared to a set of standards. Often the application has added instrumentation, or it is executed within an emulated environment. This is dynamic because it exercises the application’s logic and data flow through use. This allows for the testing to see what portions of the code are called in response to different inputs and to see how the application responds. If the application does not handle an input correctly it may crash, run portions of the code that were not intended to be executed or cause other situations that may reveal vulnerabilities in the application.
Very few, if any, applications are designed and implemented perfectly accounting for all situations and data inputs. Dynamic Code Analysis can show the weaknesses in the application as implemented so that the weaknesses can be reviewed, analyzed and corrected, improving the security and stability of the application. The failure modes of the application could put data, or the system, at risk.
Dynamic code analysis is generally expected to be used as part of the software development life cycle (SDLC) for all web or server applications. The use of DAST is often included in the development cycle of the application as part of regular commits to a source code control system. Early use of DAST allows problems to be detected when they are small and easily fixed. A minimum general requirement is that it must be used, and the finding addressed, before the application is released to production.