Static and dynamic analyses are two types of code security tests. Static is performed in non-runtime environment and is a form of white box security testing. It is simply a test where you have full access to the underlying code and binary and you will review it inside out. Static is usually done at an early stage to fix problems early and is a form of code review.
Dynamic testing is more of a blackbox testing where you don’t have the access to underlying static code or binary and are conducted from the outside looking in and are done in runtime. You would execute and examine while the software is running live. Simply put, static identifies problems by looking at code while dynamic identifies problems by running the code and inspecting the results. You will need to know how to do both since static doesn’t always catch every problems with the code. This is why we always test software and evaluate afterwards multiple times throughout lifecycle.
You will need to know how to disassemble statically and dynamically, which requires reverse engineering. Reverse engineering is simply deconstructing software into multiple pieces to extract design information. You will also need to know how to fuzz. Fuzz testing can be done automatically by a testing software. The software simply injects numerous unexpected inputs into the system then monitors for negative exceptions like leakage or crashes. Ultimately, this is to identify all the flaws.
HansITAcademy 