Friday, December 23, 2011

Static Analysis versus Dynamic Analysis

Paul Andersen from GrammaTech (the company that develop CodeSonar) share his thought on using both, static and dynamic analysis, to detect vulnerabilities. (read the articles here)

Lots of comments given which share the same thought as me. However, if I were to choose one, I'll definitely use static analysis. As I'm doing research in that area, I do found that we can remove all vulnerabilities related to C overflows at the beginning without using dynamic analysis. Of course there are pros and cons of using dynamic analysis, but the major issue with dynamic analysis which make me choose static analysis instead of dynamic is that the cost of re-write the code of modified the code is higher after the development phase and it can introduce unknown error too.

However, if a company can afford to use both, then I do recommend to use both. BUT, it is hard to choose the tool as all companies claimed their tool have better detection rate.


Security static analysis tools said...

Security static analysis tools are very effective for detect error in code. Thanks for sharing information.

Share It

Popular Posts