What type of analysis is used to find initial security issues during a code review?

Static analysis is the type of analysis used to find initial security issues during a code review because it involves examining the source code without executing it. This technique leverages automated tools to identify potential vulnerabilities, coding standards violations, and other security flaws early in the development process. By analyzing the code in its static form, developers can catch issues such as buffer overflows, SQL injection vulnerabilities, and other common security weaknesses before the software is run or deployed.

This proactive approach helps developers address security concerns early, reducing the risk of more serious security issues emerging later in the development lifecycle or after deployment. Static analysis tools can scan through large volumes of code quickly and provide immediate feedback, making them an essential part of secure software development practices.

Dynamic analysis, on the other hand, involves testing the software while it is running, which is more suited for identifying runtime issues rather than initial security problems. Manual inspection relies on human reviewers to check the code, which can be time-consuming and less comprehensive compared to automated static analysis tools. Fuzz testing focuses on input validation and identifying security vulnerabilities through random data input, which is also an important security testing technique but is not used during the initial code review phase.