184 Core Software Security
useful for determining that allocations for hardware and software
are made appropriately for the design architecture; it would be quite
costly to learn in system testing that the performance problems are
caused by the basic system design. An automated simulation may be
appropriate for larger designs. Prototyping can be used as an aid in
examining the design architecture in general or a specific set of func-
tions. For large, complicated systems, prototyping can prevent inap-
propriate designs from resulting in costly, wasted implementations.
32
• Dynamic analysis techniques help to determine the functional and
computational correctness of the code. Regression analysis is used to
re-evaluate requirements and design issues whenever any significant
code change is made. This analysis ensures awareness of the original
system requirements. Sizing and timing analysis is performed dur-
ing incremental code development and analysis results are compared
against predicted values.
33
• Dynamic analysis in the test phase involves different types of test-
ing and test strategies. Traditionally there are four types of testing:
unit, integration, system, and acceptance. Unit testing may be either
structural or functional testing performed on software units, mod-
ules, or subroutines. Structural testing examines the logic of the units
and may be used to support requirements for test coverage—that is,
how much of the program has been executed. Functional testing
evaluates how software requirements have been implemented. For
functional testing, testers usually need no information about the
design of the program, because test cases are based on the software
requirements.
34
• The most commonly used dynamic analysis techniques for the final
phase of the SDLC are regression analysis and test, simulation, and
test certification. When any changes to the product are made during
this phase, regression analysis is performed to verify that the basic
requirements and design assumptions affecting other areas of the
program have not been violated. Simulation is used to test operator
procedures and to isolate installation problems. Test certification,
particularly in critical software systems, is used to verify that the
required tests have been executed and that the delivered software
product is identical to the product subjected to software verification
and validation.
35