An overview of static and dynamic analysis in application security testing

22 views

Authors

  • Nguyen Thanh Cong Le Quy Don Technical University
  • Le Huy Toan Department of Digital Transformation and Environment Resources Data Information, Ministry of Natural Resources and Environment
  • Ta Minh Thanh (Corresponding Author) Le Quy Don Technical University

DOI:

https://doi.org/10.54939/1859-1043.j.mst.99.2024.1-11

Keywords:

Information security; Static analysis; Dynamic analysis; Security vulnerabilities; Software testing.

Abstract

In the context of increasingly complex information systems facing numerous cybersecurity threats, the evaluation of information security has become crucial. This paper focuses on two common methods of information security assessment: static analysis and dynamic analysis. Static analysis examines source code or binary code to detect security vulnerabilities during the software development phase. Dynamic analysis tests system security during operation, helping to identify vulnerabilities at runtime. The paper provides an overview of the techniques and tools for both methods, while comparing their advantages and disadvantages. Static analysis helps detect errors early but may miss runtime errors, while dynamic analysis performs real-world testing but can disrupt system operations. The combination of both methods yields the best results in ensuring information security.

References

[1]. Z. Shen, S. Chen, "A survey of automatic software vulnerability detection, program repair, and defect prediction techniques", Security and Communication Networks 2020 (1), 8858010 (2020). DOI: https://doi.org/10.1155/2020/8858010

[2]. L. Li, H. Feng, W. Zhuang, N. Meng, B. Ryder, "Cclearner: A deep learning-based clone detection approach", pp. 249-260, (2017). DOI: https://doi.org/10.1109/ICSME.2017.46

[3]. H. Wei, M. Li, "Supervised deep features for software functional clone detection by exploiting lexical and syntactical information in source code", pp. 3034-3040, (2017). DOI: https://doi.org/10.24963/ijcai.2017/423

[4]. M. White, M. Tufano, C. Vendome, D. Poshyvanyk, "Deep learning code fragments for code clone detection", pp. 87-98, (2016). DOI: https://doi.org/10.1145/2970276.2970326

[5]. N. Marastoni, R. Giacobazzi, M. Dalla Preda, "A deep learning approach to program similarity", pp. 26-35, (2018). DOI: https://doi.org/10.1145/3243127.3243131

[6]. A. Sheneamer, "CCDLC detection framework-combining clustering with deep learning classification for semantic clones", pp. 701-706, (2018). DOI: https://doi.org/10.1109/ICMLA.2018.00111

[7]. A. Sheneamer, H. Hazazi, S. Roy, J. Kalita, "Schemes for labeling semantic code clones using machine learning", pp. 981-985, (2017). DOI: https://doi.org/10.1109/ICMLA.2017.00-25

[8]. N. Shalev, N. Partush, "Binary similarity detection using machine learning", pp. 42-47, (2018). DOI: https://doi.org/10.1145/3264820.3264821

[9]. G. Zhao, J. Huang, "Deepsim: deep learning code functional similarity", pp. 141-151, (2018). DOI: https://doi.org/10.1145/3236024.3236068

[10]. X. Ban, S. Liu, C. Chen, C. Chua, "A performance evaluation of deep-learnt features for software vulnerability detection", Concurrency and Computation: Practice and Experience 31(19), e5103, (2019). DOI: https://doi.org/10.1002/cpe.5103

[11]. A.G. Bacudio, X. Yuan, B.-T.B. Chu, M. Jones, "An overview of penetration testing", International Journal of Network Security & Its Applications 3(6), 19, (2011). DOI: https://doi.org/10.5121/ijnsa.2011.3602

[12]. A. Amos-Binks, J. Clark, K. Weston, M. Winters, K. Harfoush, "Efficient attack plan recognition using automated planning", pp. 1001-1006, (2017). DOI: https://doi.org/10.1109/ISCC.2017.8024656

[13]. W. Wang, D. Sun, F. Jiang, X. Chen, C. Zhu, "Research and challenges of reinforcement learning in cyber defense decision-making for intranet security", Algorithms 15(4), 134, (2022). DOI: https://doi.org/10.3390/a15040134

[14]. M. Bhme, C. Cadar, A. Roychoudhury, "Fuzzing: Challenges and reflections", IEEE Software 38(3), 79-86, (2020). DOI: https://doi.org/10.1109/MS.2020.3016773

[15]. J. Li, B. Zhao, C. Zhang, "Fuzzing: a survey", Cybersecurity 1, 1-13, (2018). DOI: https://doi.org/10.1186/s42400-018-0002-y

[16]. M. Alqaradaghi, T. Kozsik, "Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code", IEEE Access (2024). DOI: https://doi.org/10.1109/ACCESS.2024.3389955

[17]. K. Abdulghaffar, N. Elmrabit, M. Yousefi, "Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners", Computers 12(11), 235, (2023). DOI: https://doi.org/10.3390/computers12110235

[18]. S. Alazmi, D.C. De Leon, "A systematic literature review on the characteristics and effectiveness of web application vulnerability scanners", IEEE Access 10, 33200-33219, (2022). DOI: https://doi.org/10.1109/ACCESS.2022.3161522

[19]. White Box Testing for Web Applications, 2020. https://www.offsec.com/blog/white-box-testing-web-applications/. (2024).

[20]. A. O'Mara, I. Alsmadi, A. Aleroud, D. Alharthi, "Phishing Detection Based on Webpage Content: Static and Dynamic Analysis", pp. 39-45, (2023). DOI: https://doi.org/10.1109/ICSC60084.2023.10349975

[21]. A. Aggarwal, P. Jalote, "Integrating Static and Dynamic Analysis for Detecting Vulnerabilities", pp. 343-350, (2006). DOI: https://doi.org/10.1109/COMPSAC.2006.55

Downloads

Published

25-11-2024

How to Cite

Nguyen Thanh Cong, Le Huy Toan, and Ta Minh. “An Overview of Static and Dynamic Analysis in Application Security Testing”. Journal of Military Science and Technology, vol. 99, no. 99, Nov. 2024, pp. 1-11, doi:10.54939/1859-1043.j.mst.99.2024.1-11.