Static code analysis identifies security vulnerabilities efficiently in source code, byte code or binaries. In addition to security vulnerability the available toolset has expanded the scope to testing code repetitions, code quality etc.
- Unbound Buffer Errors, e.g., buffer overflow
- Script Injections: XSS, CSRF (cross-site) etc.
- Command injections: SQL, LDAP etc.
- Fortify, PVS Studio, Raxis, ...
While static code analysis is executed on the source base, Dynamic code analysis is the method of debugging by examining an application during or after a program is run.
- Undocumented Open port scanning
- API vulnerability : Authentication, Authorization, API bounds check
- Nessus, Qualis, nmap, ...
There are many authorative sources they have document top vulnerabilities. Here are some of the sources.
- oswap top 10 - https://owasp.org/www-project-top-ten/
- SANS top 25 - https://www.sans.org/top25-software-errors/