-1

What are the subtle differences in both - as one could say that both are almost the same...

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL).

https://owasp.org/www-community/controls/Static_Code_Analysis

schroeder
  • 123,438
  • 55
  • 284
  • 319
Andrei Clear
  • 1
  • 1
  • Did you also read this? https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide-V1_1.pdf – schroeder Apr 13 '20 at 21:16
  • 2
    The link you provide, in the *very next sentence* says: "Static Code Analysis commonly refers to the running of Static Code Analysis tools..." – schroeder Apr 13 '20 at 21:17

1 Answers1

0

Security Static Code Analysis is a form of SAST (Static Application Security Testing). It covers all methods of analyzing source code for security weaknesses and vulnerabilities. This includes manual as well as automated methods. It is called static analysis to distinguish it from DAST (Dynamic Application Security Testing), where the tests are performed against the running application itself.

Security Code Review is a form of Security Static Code Analysis, but usually excludes purely automated approaches. You talk about a code review if one or more security analysts go through the code and review it. Often, some form of automation is used to make the review more efficient.

Demento
  • 7,249
  • 5
  • 36
  • 45