Do you employ static or dynamic analysis tools in your development methodology?

dynamic code analysis

Dynamic code analysis is also called Dynamic Application Security Testing (DAST). DAST is the process of analyzing an application through the running of the application and sending data to it via inputs and simulated clicks and the outputs collected, and compared to a set of standards. Often the application has added instrumentation, or it is executed within an emulated environment.  This is dynamic because it exercises the application’s logic and data flow through use. This allows for the testing to see what portions of the code are called in response to different inputs and to see how the application responds. If the application does not handle an input correctly it may crash, run portions of the code that were not intended to be executed or cause other situations that may reveal vulnerabilities in the application.

Why are they asking this?

Very few, if any, applications are designed and implemented perfectly accounting for all situations and data inputs.  Dynamic Code Analysis can show the weaknesses in the application as implemented so that the weaknesses can be reviewed, analyzed and corrected, improving the security and stability of the application.  The failure modes of the application could put data, or the system, at risk.

What do they expect?

Dynamic code analysis is generally expected to be used as part of the software development life cycle (SDLC) for all web or server applications. The use of DAST is often included in the development cycle of the application as part of regular commits to a source code control system. Early use of DAST allows problems to be detected when they are small and easily fixed. A minimum general requirement is that it must be used, and the finding addressed,  before the application is released to production.

static code analysis

Static Code Analysis (SCA) is the process of analyzing the source code to an application without executing the application. The SCA reads in the code and looks for errors and vulnerabilities that exist in the code.  Some examples that the analyzer may look for include:

  • Not initializing variables before use

  • Known unsafe function calls

  • Inconsistent interface between modules and components.

  • Unreachable code or “Dead Code”

  • Failure to follow standard coding practices

  • Syntax violations

Why are they asking this?

Failure to use SCA on your source code can leave vulnerabilities in your application undetected. 

While SCA may not detect every vulnerability, it will help eliminate the common ones and the easy to exploit ones.

What do they expect?

It is expected that you have a robust software development life cycle (SDLC) that includes static code analysis in addition to other measures to ensure that the code is not vulnerable.