Source code analysis of an application is one of the most powerful and effective methods for recognizing and resolving programming errors at an early stage.
Usually, two different approaches pursued, which can only achieve their full potential by combining them: static and dynamic testing methods.
With the former approach, the application is not executed, but analyzed on errors on the basis of predefined rules. These range from poor coding style over wrong type conversions to unintentional memory leaks with often serious impacts.
Since a static analysis is also prone to many putative errors (“false positives”), it always requires a subsequent assessment of all those issues found.
In addition, the use of dynamic testing procedures is an important instrument in order to minimize the amount of missed issues (“false negatives”) and to further increase the quality of the results.
To achieve this, dynamic testing follows a strategy where the application is first started, and then fed – during execution time – with prepared input data and to finally analyze the produced output data. If the returned result differs from the expected result, it is considered an error. The risk potential of these errors has to be manually examined and evaluated.