Create static_dynamic_analysis.md

This commit is contained in:
Omar Santos 2023-11-03 10:49:28 -04:00 committed by GitHub
parent 85c9876e4a
commit e27f575c32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -0,0 +1,27 @@
Static analysis and dynamic analysis are two fundamental methodologies used in the field of cybersecurity, particularly in the process of software testing and vulnerability assessment. They serve as complementary approaches, each offering unique insights into potential security issues within a system or application.
### Static Analysis
Static analysis, often referred to as Static Application Security Testing (SAST), involves examining the code of an application without actually executing the program. The primary goal is to analyze the source code, byte code, or binary code to identify potential security flaws.
Key aspects of static analysis include:
- **Early Detection**: Static analysis can be performed early in the software development lifecycle, even before the code is run. This helps in identifying vulnerabilities at an early stage, reducing the cost and complexity of fixing them later.
- **Comprehensive Coverage**: It can analyze the entire codebase, providing a thorough assessment of the applications security posture.
- **Automation**: Static analysis tools can automatically scan the code for patterns that indicate potential security issues, such as buffer overflows, SQL injection flaws, and cross-site scripting vulnerabilities.
- **No Execution Required**: Since the code isnt executed, theres no risk of damaging the system or data during the analysis.
Limitations of static analysis include potential false positives, difficulty in analyzing runtime behavior, and the inability to identify vulnerabilities that only manifest during execution.
### Dynamic Analysis
Dynamic analysis, also known as Dynamic Application Security Testing (DAST), involves examining an application during its execution. This method is used to identify security defects by providing inputs to the system and observing the outputs and behavior of the application.
Key aspects of dynamic analysis include:
- **Runtime Behavior**: Dynamic analysis observes the applications behavior during execution, which can uncover vulnerabilities that are not apparent in the static code.
- **Real-World Testing**: It simulates real-world attacks and can test the application in an environment that closely mirrors its production setting.
- **User Interaction**: Dynamic analysis can take into account user interactions and the flow of data through the application, identifying issues like session management flaws and authentication bypasses.
- **No Access to Source Code Required**: Dynamic analysis can be performed even without access to the source code, making it suitable for black-box testing scenarios.
Limitations of dynamic analysis include its scope being limited to the parts of the application that are executed during the test, potential false negatives, and the requirement of a fully functional system to test against.