Static code analysis is the process of reviewing source code while it is in a static state, i.e., it is not executing. Static code analysis can be done manually by human reviewers or it can be done automatically by analysis tools that detect common mistakes in code. As a pen tester, if you have access to a target app's source code, you can perform static analysis to discover how the app functions and potentially identify security issues and bugs that result from programming mistakes or poor coding practices. Another term commonly used in the industry is SAST, or static application security testing.

Static analysis reveals a low-level perspective of an app's logic. This perspective can provide you with details that you might not get from testing an app during execution. For example, there may be limitless permutations of input that can be handled by the program's logic; by understanding the input handler routine itself, you might be able to gain instant insight into any potential problems.

Because you're reviewing code, static analysis requires familiarity with whatever language the app is written in. In many cases, you'll need to be quite proficient in the target language in order to actually spot issues that the developer missed. Any tools you employ to automate the process will likely target specific languages and may not work with all source code.

Dynamic Analysis

As opposed to static code analysis, dynamic analysis is the process of reviewing an app while it is executing. This helps reveal issues that a static code analysis may miss, as some issues are more easily identifiable when a program is running and accepting unpredictable user input. For example, even if you know the code behind an input handling routine, you won't necessarily understand how it could be problematic until you actually feed it into an input that causes a problem. Another term commonly used in the industry is DAST, or dynamic application security testing.

As a pen tester, you're more likely to test applications dynamically than to test source code statically. Just as you've attempted to exploit web apps, you may be called on to exploit desktop apps, server apps, mobile apps, and more. Testing the apps' inputs for weaknesses to DoS, privilege escalation, etc., is the most common form of dynamic analysis, but not the only one. You can also test an app's behavior as it executes on specific platforms or custom environments. Testing the running app to see how it interacts with other running apps might also reveal security issues with interprocess communication.

Unlike static analysis, you don't necessarily need to be familiar with the language the app was written in. However, in some cases, knowing the language can guide your efforts. Dynamic analysis can also be conducted manually or with tools that automate the testing process.