In a February 2005 COTS Journal article on automated testing, co-authors Bob Fleck and John Viega, who are executives of Secure Software, http://www.securesoftware.com, discuss the pros and cons of dynamic and static testing (they recommend a combination), but, notably for sourcingmag readers, warn about the risks of dynamic testing:
For instance, a part of the U.S. government (which can’t be named here) once deployed a critical piece of software after dynamically testing it for many months, over which time they concluded that it only accessed a particular set of resources on the Internet. After the testing was finished, they found out by looking at their firewall logs that the application occasionally “called home” to a web site outside of the country, reporting back information. Had there been a firewall that had a more liberal policy on outbound traffic, this incident could have revealed some important data, even if the offshore developer didn’t have malicious employees inserting backdoors.
