The Role of Static & Dynamic Testing in SDLC
Reports of website vulnerabilities and data breaches are abuzz now days in the software testing industries. Therefore, securing the software development life cycle (SDLC) has gained much more momentum than earlier. This is an alert to the enterprise to be selective in choosing the right and apt security techniques to implement.
Static and dynamic analyses are two of the most popular types of security tests. Before implementation however, the security-conscious enterprise should examine precisely how both types of test can help to secure the SDLC.
Static and Dynamic Analyses Explained
In Static Testing, code is not executed. Rather it manually checks the code, requirement documents, and design documents to find errors. Therefore, this gives the testing its name, ‘static’. This testing is also called as Non-execution technique or Verification Testing. Static testing involves manual or automated reviews of the documents. This review is done during initial phase of testing to catch defect early in Software Testing Life Cycle (STLC). It examines work documents and provides review comments.
Dynamic analysis adopts the opposite approach and is executed while a program is in operation. In Dynamic Testing, code is executed. It checks for functional behavior of software system, memory/cpu usage and overall performance of the system. Therefore, this gives the testing its name, ‘dynamic’. This testing is also called as Execution technique or Validation Testing. Dynamic testing executes the software and validates the output with the expected outcome. Dynamic testing is performed at all levels of testing and it can be either black or white box testing.
Static Testing – Techniques
It starts early in the Life cycle and so it is done during the verification process. It does not need computer as the testing of program is done without executing the program. For example: reviewing, walk through, inspection, etc.
- peer review by other engineers. The author of the work product explains the product to his team. Participants can ask questions if any.
- review of design documents. This review is a formal type of review where it follows strict process to find the defects. Reviewers record the defect and inform the participants to rectify those errors.
- use term-rewriting on code, does code match specification? This is systematic review of the software source code without executing the code. It checks the syntax of the code, coding standards, code optimization, etc. This is also termed as white box testing .This review can be done at any point during development.
Sneak Circuit Analysis:
- find weak patterns in topologies, for hardware not software.
- trace behaviour of software model.
- this technique just allows you to review the document and give informal comments on it.
Dynamic Testing – Techniques
This testing technique needs computer for testing. It is done during Validation process. The software is tested by executing it on computer. Ex: Unit testing, integration testing, and system testing.
- Unit Testing: Under unit testing, individual units or modules is tested by the developers. It involves testing of source code by developers.
- Integration Testing: Individual modules are grouped together and tested by the developers. The purpose is to determine that modules are working as expected once they are integrated.
- System Testing:System testing is performed on the whole system by checking whether the system or application meets the requirement specification document.
Note: Non-functional testing like performance, security testing fall under the category of dynamic testing.
How about Automation?
Static and dynamic testing cannot be performed manually, they can also be automated. If used sensibly, automated tools can drastically enhance the return on testing investment. Automated testing tools are an ideal option in certain situations. For example, automation may be used to test a system’s reaction to a heavy volume of users or to confirm a bug fix works as expected.
Ideally, an enterprise should perform both static and dynamic analyses for a secure SDLC protection. This kind of approach will definitely benefit from the interdependency that both static and dynamic testing share between them.