Dynamic code analysis: What it is and isn’t in application security testing
If you’re searching around for information on dynamic code analysis in application security, you may be surprised to learn there’s no such thing. Time to set the record straight on the correct (and incorrect) meanings of dynamic analysis.
Your Information will be kept private.
Your Information will be kept private.
Key takeaways
- There is no such thing as dynamic code analysis in security testing because dynamic analysis doesn’t analyze code.
- Dynamic analysis simulates real-world attacks to spot vulnerabilities that can’t be found with static analysis, including web server misconfigurations.
- Dynamic analysis can also make use of new tool types that combine features of static code analysis and dynamic application testing.
Type dynamic code analysis into a search engine and the security-focused results may confuse you. And of course they would, since your starting point is a misnomer: dynamic code analysis is not a thing in security. Dynamic analysis is the real thing, yet it does not analyze code at all; it analyzes much more.
Many search results muddle up dynamic code analysis with dynamic application security testing (DAST) – but the latter exists, while the former doesn’t. DAST is a testing process that checks a running web application, looking for the kind of runtime vulnerabilities an attacker could exploit. That sets it apart from static application security testing (SAST), which checks the application source code for security vulnerabilities.
But why, then, if dynamic code analysis doesn’t really exist, do Google searches for that term turn up so many security articles attempting to define it? Simple: People outside the security industry often mistakenly think of DAST as the dynamic counterpart to static code analysis and search on that phrase, so vendors seeking readership fill the gap with tortured explanations. We’re seeking readership, too, but by calling it the way we see it.
The difference between static and dynamic analysis
Static analysis checks the source code of applications in development. It is helpful for spotting bugs before deployment, for overall quality control in the development process, and to meet regulatory requirements. It is even mandatory in some sectors, such as aviation and medical software, where bugs can threaten lives.
But for real-life usefulness, dynamic analysis is a must; it simulates all kinds of malicious or simply misguided inputs – from a nefarious hacker to a careless employee – to look for runtime vulnerabilities. Using DAST tools, a developer can perform a dynamic analysis that simulates an end-user’s actions, acting like an automated penetration tester. It can probe links, forms, and other functions, attempting operations like submitting forms with malicious data to try and exploit an app.
By itself, dynamic analysis doesn’t find the exact location of a misconfiguration or bug and cannot correct the issue. That is left to the security engineers or developers, but new and improved tools are streamlining and automating that process.
Dynamic analysis in the cloud(s)
Dynamic analysis won’t check the code in applications running on cloud platforms. Talking about scanning code implies you have access to the application source code, which is often not the case when relying on an external service provisioned over the internet. Unless you are developing everything in-house, you might have access to code libraries or application programming interfaces (APIs) but not to the entire source code of the app.
A huge number of organizations today rely on cloud servers to hold their entire workload. Many also combine one or more cloud vendors or even make use of multiple clouds and an on-premises network in the so-called hybrid cloud model. According to Deloitte, 90% of organizations have been using the cloud for three years or more now, and 79% are on multiple clouds – and that could mean running a lot of source code that they can’t scan. Instead, security and risk management professionals can use dynamic analysis to test the behavior of the whole application as it performs its functions, spotting issues that might not be apparent even with full access to the source code.
If an API is front-ending an app in a Google, Azure, or AWS server environment, it is always possible to test the API itself, and thus the application behind it, regardless of the code running on the cloud server hosting the app. Testing the way the application reacts when using the API is a real-world way to check your security posture and defenses, while running a SAST test only provides some indication of code quality.
The benefits of dynamic analysis
Dynamic testing can help security analysts spot insecure configurations and configuration errors that affect the application. Even assuming your application code is perfectly fine, the web server may be configured in a way that allows an attack. This is a big deal at a time when CISOs say security configurations are among their top concerns; for example, one survey said two-thirds of responding CISOs are worried about security misconfigurations causing a breach.
As a practical example, dynamic analysis can spot misconfigurations that enable clickjacking attacks, where a fraudster overlays or otherwise embeds a malicious URL in benign clickable content on your website. Users clicking on your site elements are then redirected to a malicious site – definitely not the place you originally intended to send them. This can be used for URL phishing, where attackers trick a person into clicking on a link they would otherwise not have touched, though that’s only one of many possibilities for cybercrime.
But that’s not a problem of code, it’s a problem of web server configuration. The key defense against clickjacking is to use security headers that prevent other sites from embedding anything in your pages. That defense must be configured at the web server and has nothing to do with application code security, so SAST or any code analysis tool would not identify the misconfiguration that opens up a vulnerability – but dynamic analysis can spot it.
Dynamic analysis needs to be part of any security regime, and combining static and dynamic analysis tools provides the most effective means to get the best of both worlds. Scanning code should always be a part of secure development practices, but dynamic analysis provides a broader and more realistic layer of security testing that can really help CISOs sleep better at night.
The bottom line
For something that doesn’t exist in application security, too many web searches and thousands of words have been generated about “dynamic code analysis.” Dynamic application security testing, on the other hand, is no mirage. It is a very real and extremely useful process for finding all sorts of attackable vulnerabilities in web applications – especially important at a time when so much depends on cloud security.