Static and Dynamic Source Code Analysis

Static and Dynamic Source Code Analysis

Application Security Analysis

With the growing number of attacks targeting web and mobile applications, the risk of exploiting flaws in their code or configuration continues to increase. Security vulnerabilities often go unnoticed during traditional functional testing because they do not appear as visible errors in application behavior. Security analysis therefore uses specialized techniques designed to identify weaknesses before they can be exploited. Among the most widely used methods are static application security testing (SAST) and dynamic application security testing (DAST).


What is static analysis

Unlike dynamic testing, static analysis is performed without running the application — directly on its source code.

  • It focuses on identifying errors and vulnerabilities in the code before deployment.

  • It helps detect risks in application logic, input handling, or authorization mechanisms.

  • It identifies issues such as SQL injection, improper password handling, or insufficient identity verification.

The analysis is typically performed automatically using specialized tools, often already during the development phase. From a security perspective, it is an important preventive mechanism — by detecting weaknesses early, it reduces remediation costs and improves the overall quality of the application.


What is dynamic analysis

Unlike static analysis, dynamic analysis is performed on a running application and observes its behavior in real time.

  • It focuses on how the system responds to different inputs, interactions, and simulated attacks.

  • It helps identify vulnerabilities such as SQL injection, XSS, or path traversal.

  • It verifies the security of APIs, forms, and access controls to sensitive data.

From a security perspective, dynamic analysis helps uncover weaknesses that only appear during the execution of the application and might not be detected through static code inspection. It is therefore an essential component of a comprehensive application security testing approach.

Why implement application security analysis?

Benefit Description
Improved application security Vulnerabilities are identified before they can be exploited.
Cost efficiency Early detection significantly reduces the cost of remediation.
Feedback for developers Supports faster and more secure software development.
Regulatory and compliance support Helps meet requirements of frameworks such as DORA, NIS2 and ISO 27001.
Reduced cyber-attack risk Combining static and dynamic analysis significantly limits the attack surface.


What requirements does DORA set for application testing?

Under the DORA framework, application testing must be integrated into a comprehensive ICT risk management framework that covers prevention, detection, response, and recovery from cyber incidents.

Key requirements include:

  • Integration into ICT risk management
    Testing must be part of a broader framework for managing ICT risks across applications and systems.

  • Regular security assessments
    Organizations must periodically evaluate the security of applications and systems, ensuring the integrity, availability, and confidentiality of data.

  • Continuous vulnerability management
    Vulnerabilities in systems, software components, and libraries must be continuously identified, documented, and managed.

  • Proportionate tools and methodologies
    Security testing tools and methodologies must be appropriate to the nature, scale, and complexity of the ICT systems in operation.

DORA emphasizes systematic and regular vulnerability testing as an essential element of ICT security management. Methods such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) enable effective detection of weaknesses across different stages of the application lifecycle.

Requirements for testing teams

DORA also emphasizes the quality and qualifications of entities performing advanced tests. Testers must meet certain criteria, for example:

  • Advanced knowledge of wireless protocols.

  • Experience with tools for radio spectrum analysis and packet capture (e.g., Wireshark, Aircrack-ng, Kismet).

  • Ability to perform active attacks (Evil Twin, MITM, deauth, credential harvesting).

  • Experience with forensic outputs and reporting incidents and findings in accordance with the requirements of regulatory frameworks.

  • Independence of the testing team from the development team, the IT operations department, and infrastructure providers.


How does testing work in practice?

Static analysis Dynamic analysis
  • Scope definition – defining the tested code, components, libraries, and the scope of the analysis.
  • Automated scanning – running a specialized tool on the source code without the need to run the application.
  • Evaluation of findings – classification, validation, and removal of false positive vulnerabilities.
  • Recommendations and review – providing remediation proposals and feedback for developers.
  • Scope definition – defining the target application and testing environments.
  • Attack simulation – sending inputs and performing interactions in real time while the application is running.
  • Vulnerability identification – detecting weaknesses such as XSS, SQLi, access to sensitive components, or insufficient API security.
  • Feedback and reporting – analysis of findings, remediation recommendations, and documentation for development and management.


Why collaborate with BDO?

BDO provides services in accordance with the specific requirements of European regulators (e.g., ECB, EBA, ESMA) and standards such as DORA, NIS2, and ISO/IEC 27001. Our methodology combines static and dynamic application testing, knowledge of regulations, and deep technical know-how – including an approach that reflects specific application risks and sector threats in the European financial environment.




  • Independence and credibility
    As an independent consulting firm, we do not have our own technologies and provide truly objective assessments. Cooperation with BDO is a clear signal of quality and trust for regulators and clients.
  • Certified team with expert practice
    Our specialists hold certifications such as OSCP, CRTP, eCPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO and others. They have experience testing large banks, insurance companies, and ICT providers.
CISO CISSP OSCP eCPPT PenTest RedTeam CEH CREST BURPSuite

Main contacts

Martin Hořický
Martin Hořický
Manager • CISO
i View bio
Marek Kovalčík
Partner
i View bio