Static vs Dynamic Code Analysis: How to Choose Between Them

 ● 18th Sep 2020

6 min read

static vs dynamic code analysis cover image

When it comes to static vs dynamic code analysis, what’s the difference between them and how do you know which one to use?

If there is any bright spot in the recent COVID-19 mess, it is software’s ability to connect the world and enable nearly every major facet of modern life to persist, despite awful circumstances.

But when software fails to work as expected, the negative implications are worse than ever. The gravity of even a single application error slipping through to production can be catastrophic, as we saw with the recent Zoom outage.

Most organizations have already invested heavily in various testing measures, so what else can be done to maintain software delivery speed without allowing escaped defects? Automated code analysis could be the answer.

In our 2020 State of Software Quality survey, we asked participants which technologies they plan to invest in to improve software quality. The results show that while engineering teams are continuing to invest in pipeline automation and containerized microservices, automated code analysis is seeing a major uptick. By the end of 2020, 37% of respondents said they plan to adopt static code analysis, and 28% said dynamic code analysis, putting these tools at the top of the list.

But what are static and dynamic analysis and why should you consider using them? Below we break down the unique value each tool provides and why you might consider adding them to your DevOps toolchain.

Static and Dynamic Analysis: A Simple Analogy

Let’s start with a sporting analogy to help illustrate the difference between these two methodologies. Static code analysis is analogous to practicing your baseball swing with a practice net and a pitching machine. There are minimal surprises. After a few swings, you know exactly where the ball is going to be every time. This helps to work on fundamentals and to make sure that you have good form. While this helps with improving your game, it can only get you so far.

Dynamic code analysis is more like practicing your swing against a live pitcher with variation in the types and locations of each pitch. It tests not only your fundamentals, but your ability to react to different, unexpected situations. When done in production, dynamic analysis is like perfecting your swing at the bottom of the 9th with the bases loaded. Did I mention that the score is tied with 2 outs? The stakes are high.

Now, let’s compare and contrast the two different styles from a technical perspective.

Static Code Analysis

Static code analysis is a method of debugging done by examining an application’s source code before a program is run. This is usually done by analyzing the code against a given set of rules or coding standards.

What does this address?

These often address code vulnerabilities, code smells and adherence to commonly accepted coding standards. These include common developer errors which are often found by “Code Peer Reviews”. 

In which stage of the software development lifecycle can we use static code analysis?

Static code analysis is usually incorporated at any stage after the “Code Development” phase and before “Unit/Component/Integration” testing phases. In some cases, CI/CD pipelines incorporate Static analysis reports as a quality gate for code promotion.

Benefits

Among other benefits, the ability to identify weaknesses in the code and to adhere to strict development standards help reduce potential production issues. These also provide “Test Coverage” reports that describe the degree to which the code has been exercised.

Limitations

In real life, what works for “Joe” doesn’t work for “Jane”. Static code analysis treats both the same since it cannot see the data.

Consider the following pseudo code: 

function getFullName(firstName) {

if (firstName == “Joe”)

return “Joe Smith”

if (firstName == “Jane”)

return “Dave” // This is incorrect business logic

if (firstName != “Joe or Jane”)

return “Joey” 

}

In the above example, static code analysis provides no understanding of developer intent. A user expecting “Jane’s” full name as “Jane Doe” gets “Dave”. Any other name returns “Joey”. Any downstream application expecting a valid user would now face runtime errors or exceptions.

Issues like these could easily pass “Static Code analysis rules”, JUnits, even “Code coverage” reports. Production is the “Wild Wild West” and often contains a plethora of business flavors. “Production scenarios” don’t adhere to any given set of rules.

Finally, automated static code coverage tools often provide a false sense of security that everything is being validated. The truth is that the reports are only as good as the underlying rules that govern them.

Dynamic Code Analysis

Dynamic code analysis is the method of debugging by examining an application during or after a program is run. Since the source code can be run with a variety of different inputs, there isn’t a given set of rules that can cover this style.

What does this address?

These address runtime vulnerabilities that occur due to variations in business context. For example, the code snippet from above would be flagged by dynamic code analysis. Tools such as OverOps take this a few steps further. 

  1. For every runtime event, OverOps answers what happened, when it happened and why it happened.
  2. OverOps enables the detection, classification and prioritization of all runtime anomalies on multiple facets.

In which stage of the SDLC (Software Development Lifecycle) can we use Dynamic code analysis?

These can be used in multiple places. 

  1. For production, dynamic code analysis provides information to help troubleshoot production incidents quickly. 
  2. For pre-production, dynamic code analysis prevents bad code from going into production. These can be used in conjunction with CI/CD tools as a quality gate for code promotion.

Benefits

In production, dynamic code analysis helps provide visibility to application issues, reducing MTTI for production incidents. Overops goes even deeper – determining the exact offending line of source code with variable values.

Limitations

If the code doesn’t run, it doesn’t get analyzed. In addition, dynamic code analysis cannot perform the function of static code analysis tools, so it’s best used in conjunction with them.

Conclusion

Just like practicing your swing against both a machine and a live pitcher, static and dynamic analysis go hand-in-hand. Static code analysis often finds issues in unexercised code that dynamic code analysis can’t. At the same time, dynamic code analysis covers production scenarios that static analysis doesn’t.

OverOps enables you to bring these two approaches together to ensure your code is truly production-ready. By feeding OverOps data directly into popular static analysis tools like SonarQube, users are able to enhance their existing quality gates with insight into runtime errors.

You can read more about how we integrate with SonarQube and other static analysis tools here. To see this integration and our other plugins in action, sign-up for a free trial or watch this recent webinar where we discuss static vs. dynamic analysis in more detail.

Subscribe for Post Updates

We will send you updates about industry trends and more

Please visit our privacy policy for further details about our privacy practices.

Next Article