Dynamic analysis finds vulnerabilities in a runtime environment. Automated tools analyze the input and output of an application for potential threats like SQL injection. Tools can also search for other application-specific issues and analyze server configuration errors. The purpose of dynamic analysis is to analyze the program as an attacker would, looking for entry points and vulnerable sections during program execution.
Why Developers Use Dynamic Analysis
- It’s fast.
Dynamic analysis is traditionally much faster than similar tools. This allows for increased efficiency and faster time-to-product.
- It’s flexible.
One of the major advantages of dynamic analysis is that it’s completely automated. These automated tools often allow for scheduling which maximizes developer efficiency. They also often have the capability to scan for more than one type of vulnerability, allowing increased flexibility when searching for potential exploits.
- It isn’t language dependent.
Dynamic analysis doesn’t analyze the source code; it simulates a malicious user. This means a proper tool could test any web application regardless of the development language (Java, PHP, etc.).
- It confirms the results of static analysis.
Dynamic and static analysis techniques are most powerful when used in tandem. The methods can be used as a system of checks and balances, acting as insurance against false positives and false negatives.
Example of Dynamic Analysis
Assume there’s a team of developers writing a web application. They’re partially into the development cycle when they realize they’re having an issue with the data structures created by the program.
They decide to use a dynamic analysis tool, then instruct the tool to record the linkages among heap-allocated storage cells. Afterwards, they use this data to find an issue with the shape of the data structures, allowing them to move on with the development cycle.
With so many modern devices supporting web integration, secure coding practices are more important than ever. Dynamic code analysis, for example, has become an important tool in demonstrating safety compliance of medical devices to the FDA. It provides efficient analysis of potential threat and, when combined with static analysis, provides a powerful overview of possible vulnerabilities.