Our company employs an approach termed "static analysis" as it takes an application package (generally a MSI application package) whereas the application package configuration information is extracted and then inserted in a specially formatted database. In addition, all of the binaries (files) included in that application package are extracted to the target file-system and all binary information including; API's, COM, DLL header and dependency information is captured and inserted into a target database.
"Dynamic Analysis" requires the actual exercising of an application (installing, configuring, running, testing, uninstalling). This is a deep-dive approach that really suits application developers but not necessarily corporate system administrators.
For example, the following questions are raised when conducting dynamic analysis testing scenarios.
- Do you need to test/exercise/run your applications for a period of time (months/weeks) ?
- Do you need to install an agent?
- Do you need to create model office? (workstations, power, networking, OS config)?
- Do you need to install the application and configure it?
- Do you need to spend 4, 8, 24 hours testing your applications?
- Can you capture the testing data and then re-analyse the results for other platforms? 64-bit, App-V, Citrix, RDS, Office 2010, Internet Explorer 8/9?
- How do you create consistent test results from other testers and locations?
- Do you need access to back-end systems and databases?
- Do you need to acquire/configure/install future planned test applications (license issues) ?
And, here are some of the benefits of using the static analysis approach
- No agent: no change control requirement, no risk to business production environment
- No applications licenses required, no copyright issues.
- Applications binary level analysed, not installed or run
- Application data-capture and analysis in minutes - Vastly improved reporting time
- Applications can be cross-tested against different technologies and platforms
Of course, I have a bias here. And, I promise to post more on the strengths and weaknesses of both approaches.