Why is it important to probe and attack a system both at rest and in action?

There are two types of attacks that can be performed on a system- attack at rest (static analysis) and attacks in action (dynamic analysis).
In order to develop a complete, robust, and thorough attack it is necessary to include both – as they are mutually exclusive. Each have their strengths and shortcomings, and “it is not ideal that the enterprise should face a choice” 5 between them.

Static analysis-

  • Performed in a non-runtime environment
  • Inspects program code for all possible run-time behaviors
  • Unearths “coding flaws, back doors, and potentially malicious code”5
  • Thorough approach to finding flaws – as inspection is on each line of code – not just those in path of execution
  • It is referred to as “verification 6 as it the “evaluation of the development phase” 6
  • Finds faults pertaining to2
    • SQL injection locations
    • Un-validated input
    • Authentication/authorization gaps
    • Sensitive data mishandling
    • Ignoring exceptions
    • Code and data access
    • Unsafe code

Dynamic Analysis-

  • Dynamic analysis is executed while a program is in operation.
  • It monitors “system memory, functional behavior, response time, and overall performance of the system.”5
  • It is similar to the attacks launched by actual hackers
  • It is capable of exposing a “subtle flaw or vulnerability too complicated for static analysis” 5 alone to reveal.
  • Only finds defects in the part of the code that is actually executed.
  • For a given input, the actual output of the software on execution is compared to its expected output. This allows developers to “analyze the functional behavior of a piece of software, and monitor its interaction with system memory, CPU function and overall system performance.” 6
  • It is referred to as “validation: the evaluation of a finished product.” 6
  • Dynamic analysis finds loopholes in-
    • Fuzzy input execution
    • Weak bindings between interfaces
    • Algorithm execution
    • Boundary values
    • Cryptography implementations
    • Authentication
    • Access