Static Source Code Analysis (SSCA) is a technique that statically analyzes program source code to detect problems within the source code. That is, SSCA performs such analysis without actually executing (running) the source code. In some examples, problems within the source code can compromise the security of a computer program. Such problems can be caused by unchecked (un-validated) data-flows from a sink (e.g., input from a user) to a source (e.g., access to a database). Dynamic Source Code Analysis (DSCA) is a technique that dynamically analyzes program source code, while the source code is executing (running).
SSCA and DSCA have respective strengths and weaknesses. For example, SSCA may be prone to a relatively higher number of false positives (e.g., falsely indicating an error in the source code), and DSCA may be prone to a relatively higher number of false negatives (e.g., missing an error in the source code).