It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release.

A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)) or a web application scanner (e.g., [OWASP ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) or [w3af](https://w3af.org/)). In some cases the [OSS-Fuzz](https://github.com/google/oss-fuzz#introduction) project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The [Wikipedia page on dynamic analysis](https://en.wikipedia.org/wiki/Dynamic_program_analysis) and the [OWASP page on fuzzing](https://www.owasp.org/index.php/Fuzzing) identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. #470

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. #470

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions