Problem solve Get help with specific problems with your technologies, process and projects.

Verifying the security of software with static and dynamic verification

Secure software is critical to all businesses, and security verification is an important part of that process. In this expert response, learn the difference between static and dynamic verification of security in software engineering.

Could you please describe what is meant by static verification and dynamic verification of security? What are the benefits offered by each process in making systems safer?
Verification is the aspect of software engineering that checks to see if the software meets its defined requirements/specifications (as opposed to validation, which determines whether the specifications meet user expectations). Verification can be broken down into the two major areas that you mention above: static and dynamic verification. This should not be confused with static and dynamic code analysis, both of which are subsets of dynamic code verification.

Static verification is the set of processes that analyzes code to ensure defined coding practices are being followed. This includes, but is not limited to, checking to ensure coding conventions are being followed and banned functions aren't being used. Additionally, static verification includes metrics (examples of metrics could be lines of code, bugs per line(s) of code or lines of code checked for vulnerabilities). Finally, static verification also includes formal verification, which is the attempt to use formal mathematical proofs to demonstrate that particular code adheres to specifications; this is particularly useful in terms of cryptography and algorithms, but has very broad applications as well.

Dymanic verification, on the other hand, is the classic quality assurance/quality control (QA/QC) testing that is done by most software organizations. This includes unit and functionality testing as well as regression testing. This is where most source code analysis tools land, be they commercial tools such as Prism (by and Mercury (now owned by HP) or open source tools such as Lint or RATS (Rough Auditing Tool for Security). This also includes use of binary analysis tools like those provided by Veracode Inc. or fuzzers such as SPIKE or overflwo. This even includes Web application vulnerability analysis tools, especially the more advanced ones that actively test Javascript and SQL.

Source code analysis is great; it catches all sorts of issues especially around assorted overflows and underflows as well as use of banned functions. Binary analysis is very complimentary to source code analysis as it is really good at catching more complex buffer overflow issues, but also at finding application logic issues that would otherwise might only be caught by a very experienced manual code review team. In either case, these automated tools can cover far more code then a human code reviewer, freeing them up to focus on more complex architectural issues.

For more information:

  • Read more about static and dynamic verification of network security.
  • Black and white box testing: Which is best?
  • This was last published in August 2009

    Dig Deeper on Secure software development