As a result of the booming cloud application market, companies are increasingly — and rationally — concerned with the security of their applications and the data associated with them.
There are hundreds, if not thousands, of security risks to all kinds of applications. There are also hundreds of tools available today that are designed to address those risks and remediate issues before an attack takes place. Two of the most commonly used solutions are static application security testing (SAST) software and dynamic application security testing (DAST) software.
SAST vs. DAST: Application security testing explained
SAST and DAST are two classes of security testing tools that take a unique approach to solving issues related to application security. SAST tools analyze an application’s underlying components to identify flaws and issues in the code itself. DAST tools test working applications for outwardly facing vulnerabilities in the application interface. Both tools are entirely necessary, but analyze application security in very different ways.
|Static Application Security Testing (SAST)||Dynamic Application Security Testing (DAST)|
|White-box testing||Black-box testing|
|Requires application source code||Requires functional application|
|Performed in early stages of software development lifecycle (SDLC)||Performed at the end of software development lifecycle (SDLC)|
|Identifies easy-to-fix bugs, flaws and vulnerabilities||Discovers late-stage vulnerabilities; typically requires a new deployment cycle or emergency release|
|Cannot discover runtime issues||Cannot discover source code issues|
|Used for all kinds of applications and software||Limited to testing web applications and services|
What is static application security testing?
Static application security testing (SAST) tools are white-hat testing solutions, meaning they require access to source code to function. SAST tools help software developers and security professionals analyze an application’s underlying source code for flaws and vulnerabilities.
White-hat, or white-box, testing requires users to possess information related to code and security architecture to examine non-compiled code. SAST tools are notorious for flagging safe code (false positives) because they don't actually execute the code. Still, these tools are highly effective in identifying issues early in the software development lifecycle such as numerical errors, race hazards, or directory traversals, among many others.
Because SAST tools are capable of discovering source code issues, they’re commonly used by agile and DevOps teams. These issues are typically easy to fix, but don’t examine the application from a functional standpoint. Those issues require additional testing tools that allow developers to view the application from an outside hacker’s perspective.
What is dynamic application security testing (DAST)?
Dynamic application security testing (DAST) tools are used for black-box testing. This means that tests are performed from outside a functioning application, rather than on its source code.
DAST tools are capable of discovering exploitable vulnerabilities including SQL injection, cross-site scripting, and authentication issues, among others. This method gives security professionals and developers a third-party perspective of threats, viewing an app much like a hacker outside the organization would.
DAST tools mimic real-world functionality, allowing users to view how an application responds to certain common threats or actions. As such, the application needs to be in a functional state to test. DAST tools are usually most effective in identifying threats during the end of the development lifecycle. Late-stage issues may involve fixing multiple components of an application, and may be critical to securing functionality.
DAST tools allow users to simulate realistic attacks and threats to discover vulnerabilities not found in an application’s source code. They’re flexible and customizable tools used for comprehensive assessment of applications of all sizes.
Interactive application security testing
SAST and DAST tools are typically used to complement each other, addressing security issues related to both inside and outside threats. Using these tools together is commonly referred to as interactive application security testing (IAST).
IAST is a hybrid approach that combines these techniques to identify how application functionality and its underlying architecture can affect the results of dynamic testing. IAST tools, or the combination of SAST and DAST tools, can identify flaws in code that don’t appear as vulnerabilities from an initial code scan, but do present issues when the application is running.
Users often simulate specific environments to perform conditional tests and report on how different data flows and scenarios affect application performance and security. Using the tools in tandem is known to reduce testing time and the frequency at which false positives occur, making it a popular method for agile and DevOps teams.
Other application security testing tools
Vulnerability scanners are closely related to DAST tools, and some consider them to be the same thing. In terms of functionality, though, DAST is simply a component of vulnerability scanning. Vulnerability scanners offer a wide range of testing capabilities for performing DAST operations, but also for analyzing a number of additional risk factors related to security on all kinds of applications, networks and websites.
Penetration testing tools
While some DAST products offer penetration testing as a feature, penetration is a very specific type of test, just one of many security tests that require a working application. Penetration tests identify vulnerabilities at the point of access or evaluate firewalls, ports and servers.
RASP stands for runtime application self-protection. RASP is unlike SAST and DAST in that the tool actually lives and operates within an application at the operating system level. RASP tools monitor the functionality of applications as they operate to detect incidents and alert security teams of attacks as they arise.
Static analysis tools
Static code analysis tools are very similar to SAST products in that they analyze an application’s source code. Some of these tools will not only have functionality for detecting security-specific issues, but also offer additional features for abstract interpretation, data-flow analysis, and logic analysis.
Are you a security professional interested in security tools? Check out our guide to penetration testing, which includes 5 pen-testing tools to consider in 2019.