What Is Static Testing?

Static testing examines software work products — requirements, design documents, code, test plans — without executing the software. You are looking at the artifact itself, searching for defects, inconsistencies, and improvements.

Dynamic testing runs the software and checks its behavior. Static testing reads the software (or its documentation) and checks its correctness.

Think of it as proofreading a recipe before cooking versus tasting the dish after cooking. Both approaches find problems, but proofreading is cheaper — you catch “add 10 cups of salt instead of 1 teaspoon” before ruining the ingredients.

Why Static Testing Matters

The cost of fixing a defect increases dramatically the later it is found:

Phase FoundRelative CostExample
Requirements1xFix the requirement document
Design5xRedesign the component
Implementation10xRewrite the code
Testing20xFix code + retest
Production100xEmergency fix + customer impact

Static testing catches defects at the earliest possible stage — before any code is written. IBM’s research found that inspections can remove 60-90% of defects before testing even begins.

What Can Be Statically Tested?

  • Requirements specifications
  • User stories and acceptance criteria
  • Architecture and design documents
  • Source code
  • Test plans and test cases
  • Database schemas
  • Configuration files
  • CI/CD pipeline definitions

Types of Reviews

Reviews are a human-driven form of static testing. They range from casual to highly formal.

Informal Review

The simplest form. One person asks a colleague to look at their work. No documented process, no formal output.

Characteristics:

  • No defined process or roles
  • Often a quick desk check or “can you look at this?”
  • No documented findings (or just verbal feedback)
  • Low overhead, easy to do frequently

When to use: Daily code changes, quick sanity checks, early drafts of documents.

Walkthrough

The author guides reviewers through the work product, explaining the content and gathering feedback. The author leads and drives the session.

Characteristics:

  • Author-led presentation
  • Can be open-ended or scenario-based
  • Findings may or may not be documented
  • Focus on learning and knowledge sharing as much as defect finding

When to use: Complex designs that need explanation, onboarding new team members, requirements that need business context.

Technical Review

A peer review where technically qualified reviewers examine the work product independently before meeting to discuss findings. More structured than a walkthrough.

Characteristics:

  • Led by a moderator (not the author)
  • Reviewers prepare individually before the meeting
  • Documented findings and decisions
  • Focused on finding technical defects and ensuring standards compliance
  • May use checklists

When to use: Critical code changes, architectural decisions, security-sensitive components.

Inspection (Fagan Inspection)

The most formal review type, developed by Michael Fagan at IBM in 1976. It follows a strict process with defined roles, entry/exit criteria, and metrics.

Roles:

  • Moderator — facilitates the process, ensures rules are followed
  • Author — created the work product, answers questions but does not defend
  • Reviewers — examine the artifact and identify defects
  • Scribe — records all defects and decisions

When to use: Safety-critical systems, regulatory requirements, high-risk components, projects where defect data must be tracked.

The Review Process

A structured review follows these phases:

graph LR P[Planning] --> O[Overview/Kickoff] O --> I[Individual Preparation] I --> R[Review Meeting] R --> RW[Rework] RW --> F[Follow-up]

1. Planning. The moderator selects reviewers, distributes materials, sets schedule, and verifies entry criteria (is the document ready for review?).

2. Overview/Kickoff. The author provides context. For inspections, the moderator explains the process and roles. For walkthroughs, the author presents the content.

3. Individual Preparation. Each reviewer examines the work product independently, noting potential defects and questions. This is the most critical phase — studies show that most defects are found during individual preparation, not during the meeting.

4. Review Meeting. Reviewers share findings. The scribe records defects. The group decides on each issue: defect, question, suggestion, or out of scope. The meeting should not solve problems — only identify them.

5. Rework. The author addresses all identified defects.

6. Follow-up. The moderator verifies that all defects were addressed. For inspections, they decide if a re-inspection is needed.

Review Checklists

Checklists make reviews systematic and repeatable. Here are examples for different work products:

Requirements Review Checklist

  • Is each requirement uniquely identifiable (ID)?
  • Is each requirement testable (can you write a test for it)?
  • Are there contradictions between requirements?
  • Are all assumptions explicitly stated?
  • Are boundary conditions defined (min, max, empty, null)?
  • Are error conditions and their handling specified?
  • Is the requirement free of ambiguous terms (“fast”, “easy”, “user-friendly”)?
  • Are all data formats specified (dates, currencies, units)?

Code Review Checklist

  • Does the code match the design/requirements?
  • Are all error conditions handled?
  • Are resources properly released (connections, files, memory)?
  • Are input values validated before use?
  • Are there any hardcoded values that should be configurable?
  • Is the code free of security vulnerabilities (SQL injection, XSS)?
  • Are there unit tests for the new code?
  • Does the code follow the team’s style guide?

Benefits of Early Defect Detection

Static testing provides benefits beyond finding bugs:

Knowledge sharing. Reviews spread understanding of the system across the team. If only one person understands a component, that is a risk.

Standard enforcement. Reviews ensure coding standards, naming conventions, and architectural patterns are consistently applied.

Mentoring. Junior developers learn from reviewing senior developers’ code and from receiving feedback on their own.

Documentation improvement. Reviewing requirements and designs forces clarity. Ambiguities that “everyone understands” get exposed.

Exercise: Conduct a Requirements Review

Below is a requirements specification for a password reset feature. Using the checklist provided earlier, identify all defects, ambiguities, and missing information.

Requirements Specification: Password Reset Feature

REQ-1: When a user clicks “Forgot Password”, the system should quickly send a reset email.

REQ-2: The reset link should expire after some time.

REQ-3: The new password must be strong.

REQ-4: After resetting the password, the user should be able to log in with the new password.

REQ-5: The system should handle errors gracefully.

REQ-6: The reset email should contain a link to the password reset page.

REQ-7: The user must enter the new password twice for confirmation.

REQ-8: If the email address is not found in the system, do not reveal this to the user (security requirement).

REQ-9: The password reset token should be cryptographically secure.

REQ-10: Rate limiting: the user should not be able to request too many reset emails.

For each defect, specify:

  1. The requirement ID
  2. The defect type (ambiguity, missing information, contradiction, untestable)
  3. A recommended fix
HintLook for words like "quickly", "some time", "strong", "gracefully", and "too many" — these are classic ambiguity triggers. Also check if there are any missing requirements for common scenarios.
Solution

Defect 1: REQ-1 — “quickly” is ambiguous

  • Type: Ambiguity / Untestable
  • Fix: “The system shall send a password reset email within 30 seconds of the user submitting the request.”

Defect 2: REQ-2 — “some time” is ambiguous

  • Type: Ambiguity / Untestable
  • Fix: “The reset link shall expire after 60 minutes from the time it was generated.”

Defect 3: REQ-3 — “strong” is ambiguous

  • Type: Ambiguity / Untestable
  • Fix: “The new password must be at least 8 characters, contain at least one uppercase letter, one lowercase letter, one digit, and one special character.”

Defect 4: REQ-5 — “handle errors gracefully” is ambiguous

  • Type: Ambiguity / Untestable
  • Fix: “If the reset token is expired, display ‘This link has expired. Please request a new password reset.’ If the token is invalid, display ‘Invalid reset link. Please request a new password reset.’”

Defect 5: REQ-10 — “too many” is ambiguous

  • Type: Ambiguity / Untestable
  • Fix: “A user may request a maximum of 3 password reset emails per hour. Additional requests shall display ‘Too many requests. Please try again in [minutes] minutes.’”

Defect 6: Missing requirement — What happens if the user clicks an expired link?

  • Type: Missing information
  • Fix: Add REQ-11: “If the user clicks an expired reset link, display a message explaining the link has expired and provide a link to request a new reset.”

Defect 7: Missing requirement — Can the user reuse a previous password?

  • Type: Missing information
  • Fix: Add REQ-12: “The new password must not match any of the user’s last 5 passwords.”

Defect 8: Missing requirement — What happens to existing sessions after password reset?

  • Type: Missing information
  • Fix: Add REQ-13: “After a successful password reset, all existing user sessions shall be invalidated.”

Defect 9: Missing requirement — Confirmation of successful reset

  • Type: Missing information
  • Fix: Add REQ-14: “After successful password reset, display a confirmation message and send a notification email to the user.”

Defect 10: REQ-8 and REQ-6 potential interaction — REQ-6 says the email contains a link, but REQ-8 says do not reveal if email is not found. What message does the user see?

  • Type: Missing information
  • Fix: Clarify REQ-8: “Regardless of whether the email exists in the system, display: ‘If an account with that email exists, a password reset link has been sent.’”

Summary: 5 ambiguities, 4 missing requirements, 1 incomplete interaction specification. A review found 10 defects before any code was written.

Review Metrics

For formal reviews, track these metrics to improve the process:

MetricWhat It MeasuresTarget
Defect densityDefects per page/KLOC reviewedTrack trend over time
Preparation ratePages reviewed per hour5-10 pages/hour
Review ratePages discussed per meeting hour3-5 pages/hour
Defect detection rateDefects found / estimated total defects> 60%
Rework effortHours to fix review findingsShould decrease over time

Key Takeaways

  • Static testing examines work products without executing code, catching defects at the earliest and cheapest stage
  • Reviews range from informal (desk check) to formal (inspection with defined roles and metrics)
  • Individual preparation is the most effective phase — most defects are found before the meeting
  • Checklists make reviews systematic and prevent common oversights
  • The review process follows: planning, kickoff, preparation, meeting, rework, follow-up
  • Static testing benefits go beyond defect finding: knowledge sharing, standard enforcement, and mentoring
  • Requirements reviews are especially valuable — one ambiguous requirement can cascade into many implementation defects