Static and dynamic analysis combined can lower the overall risk of your application by first assessing each line of code for any flaws followed by identifying how it reacts to different input when executed. Organizations typically choose to do dynamic over static due to cost or compliance, but bundling the two will ensure fewer risks. Below, we have broken down the strengths and weaknesses of both.
Tools used for static analysis will take your code as input and analyze each line for any insecure functions or coding practices. The tools are great at finding obvious high-risk flaws such as injections, which are the most often discovered findings during our web engagements. Static analysis is often used at organizations that are continuously improving or developing new content.
Static Testing Weaknesses
Cannot identify subjective or business logic related issues
Extremely slow in adopting new versions of programming languages
Requires more effort than dynamic analysis when dealing with tool results
40% gap in covering the OWASP Top 10
OWASP Top 10: 2017 Coverage
Covered: A1 – Injection
Out of scope: A2 – Broken Authentication
Covered: A3 – Sensitive Data Exposure
Covered: A4 – XML External Entities (XXE)
Out of scope: A5 – Broken Access Control
Out of scope: A6 – Security Misconfiguration
Covered: A7 – Cross-Site Scripting (XSS)
Covered: A8 – Insecure Deserialization
Covered: A9 – Using Components with Known Vulnerabilities
Out of scope: A10 – Insufficient Logging & Monitoring
Static Testing Strengths
Quick in identifying obvious coding flaws
Can be run in parallel with development to reduce overhead at the end of the development life cycle
Dynamic analysis does not see the actual server-side code. Instead, it executes it no different than what you do when you browse a website. The software or individual tester sits between the server and the browser while modifying requests to identify flaws in how the server reacts to them. In order to successfully evaluate an application using dynamic analysis, a skilled tester with advanced knowledge of the tool is required.
Dynamic Testing Weaknesses
Depends heavily on the qualifications of the tester. If the tester is not qualified, some findings will be missed. If you need help on choosing a penetration test company, visit our blog on “How To Choose The Right Penetration Testing Company For Your Business”
If the software fails to catch any existing issues, you will also have missed findings. Back in 2016, sectoolmarket did a comparison of dynamic scanners that covered accuracy and false positives. Prices have changed since then and many of those tools have released newer versions, but it can be used as a baseline in understanding that each tool has its shortcomings.
Dynamic Testing Strengths
Covers all of the OWASP Top 10.
Can be leveraged into checking for more sophisticated attacks by doing additional manual checks.
Each type of assessment can assist in lowering your overall risk, which is why we would recommend doing both during your development lifecycle. If budget is of concern, only do a dynamic test using a reputable company with a strong testing methodology to ensure complete coverage of the OWASP Top 10.