There
are two types of attacks that can be performed on a system- attack at rest (static analysis) and attacks in action (dynamic analysis).
In order to develop a complete, robust, and thorough attack it is necessary to
include both – as they are mutually exclusive. Each have their strengths and
shortcomings, and “it is not ideal that the enterprise should face a choice” 5 between them.
Static analysis-
- Performed in a non-runtime environment
- Inspects program code for all possible run-time behaviors
- Unearths “coding flaws, back doors, and potentially malicious code”5
- Thorough approach to finding flaws – as inspection is on each line of code – not just those in path of execution
- It is referred to as “verification” 6 as it the “evaluation of the development phase” 6
- Finds faults pertaining to2–
- SQL injection locations
- Un-validated input
- Authentication/authorization gaps
- Sensitive data mishandling
- Ignoring exceptions
- Code and data access
- Unsafe code
Dynamic Analysis-
- Dynamic analysis is executed while a program is in operation.
- It monitors “system memory, functional behavior, response time, and overall performance of the system.”5
- It is similar to the attacks launched by actual hackers
- It is capable of exposing a “subtle flaw or vulnerability too complicated for static analysis” 5 alone to reveal.
- Only finds defects in the part of the code that is actually executed.
- For a given input, the actual output of the software on execution is compared to its expected output. This allows developers to “analyze the functional behavior of a piece of software, and monitor its interaction with system memory, CPU function and overall system performance.” 6
- It is referred to as “validation: the evaluation of a finished product.” 6
- Dynamic analysis finds loopholes in-
- Fuzzy input execution
- Weak bindings between interfaces
- Algorithm execution
- Boundary values
- Cryptography implementations
- Authentication
- Access