Ask the Expert

Verifying the security of software with static and dynamic verification

Could you please describe what is meant by static verification and dynamic verification of security? What are the benefits offered by each process in making systems safer?

    Requires Free Membership to View

    Login

Verification is the aspect of software engineering that checks to see if the software meets its defined requirements/specifications (as opposed to validation, which determines whether the specifications meet user expectations). Verification can be broken down into the two major areas that you mention above: static and dynamic verification. This should not be confused with static and dynamic code analysis, both of which are subsets of dynamic code verification.

Static verification is the set of processes that analyzes code to ensure defined coding practices are being followed. This includes, but is not limited to, checking to ensure coding conventions are being followed and banned functions aren't being used. Additionally, static verification includes metrics (examples of metrics could be lines of code, bugs per line(s) of code or lines of code checked for vulnerabilities). Finally, static verification also includes formal verification, which is the attempt to use formal mathematical proofs to demonstrate that particular code adheres to specifications; this is particularly useful in terms of cryptography and algorithms, but has very broad applications as well.

Dymanic verification, on the other hand, is the classic quality assurance/quality control (QA/QC) testing that is done by most software organizations. This includes unit and functionality testing as well as regression testing. This is where most source code analysis tools land, be they commercial tools such as Prism (by http://reflectivecorp.com/) and Mercury (now owned by HP) or open source tools such as Lint or RATS (Rough Auditing Tool for Security). This also includes use of binary analysis tools like those provided by Veracode Inc. or fuzzers such as SPIKE or overflwo. This even includes Web application vulnerability analysis tools, especially the more advanced ones that actively test Javascript and SQL.

Source code analysis is great; it catches all sorts of issues especially around assorted overflows and underflows as well as use of banned functions. Binary analysis is very complimentary to source code analysis as it is really good at catching more complex buffer overflow issues, but also at finding application logic issues that would otherwise might only be caught by a very experienced manual code review team. In either case, these automated tools can cover far more code then a human code reviewer, freeing them up to focus on more complex architectural issues.

For more information:

  • Read more about static and dynamic verification of network security.
  • Black and white box testing: Which is best?

    • This was first published in August 2009

    Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top