From e27f575c3226148cbefb235d09ff2a63795fb857 Mon Sep 17 00:00:00 2001 From: Omar Santos Date: Fri, 3 Nov 2023 10:49:28 -0400 Subject: [PATCH] Create static_dynamic_analysis.md --- methodology/static_dynamic_analysis.md | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 methodology/static_dynamic_analysis.md diff --git a/methodology/static_dynamic_analysis.md b/methodology/static_dynamic_analysis.md new file mode 100644 index 0000000..6447bc3 --- /dev/null +++ b/methodology/static_dynamic_analysis.md @@ -0,0 +1,27 @@ +Static analysis and dynamic analysis are two fundamental methodologies used in the field of cybersecurity, particularly in the process of software testing and vulnerability assessment. They serve as complementary approaches, each offering unique insights into potential security issues within a system or application. + +### Static Analysis + +Static analysis, often referred to as Static Application Security Testing (SAST), involves examining the code of an application without actually executing the program. The primary goal is to analyze the source code, byte code, or binary code to identify potential security flaws. + +Key aspects of static analysis include: + +- **Early Detection**: Static analysis can be performed early in the software development lifecycle, even before the code is run. This helps in identifying vulnerabilities at an early stage, reducing the cost and complexity of fixing them later. +- **Comprehensive Coverage**: It can analyze the entire codebase, providing a thorough assessment of the application’s security posture. +- **Automation**: Static analysis tools can automatically scan the code for patterns that indicate potential security issues, such as buffer overflows, SQL injection flaws, and cross-site scripting vulnerabilities. +- **No Execution Required**: Since the code isn’t executed, there’s no risk of damaging the system or data during the analysis. + +Limitations of static analysis include potential false positives, difficulty in analyzing runtime behavior, and the inability to identify vulnerabilities that only manifest during execution. + +### Dynamic Analysis + +Dynamic analysis, also known as Dynamic Application Security Testing (DAST), involves examining an application during its execution. This method is used to identify security defects by providing inputs to the system and observing the outputs and behavior of the application. + +Key aspects of dynamic analysis include: + +- **Runtime Behavior**: Dynamic analysis observes the application’s behavior during execution, which can uncover vulnerabilities that are not apparent in the static code. +- **Real-World Testing**: It simulates real-world attacks and can test the application in an environment that closely mirrors its production setting. +- **User Interaction**: Dynamic analysis can take into account user interactions and the flow of data through the application, identifying issues like session management flaws and authentication bypasses. +- **No Access to Source Code Required**: Dynamic analysis can be performed even without access to the source code, making it suitable for black-box testing scenarios. + +Limitations of dynamic analysis include its scope being limited to the parts of the application that are executed during the test, potential false negatives, and the requirement of a fully functional system to test against.