When it comes to picking up a
security testing strategy there are multiple options and players with varied
recommendations. One of the dilemma is to which of the testing strategies to
choose between Static and Dynamic commonly known as SAST and DAST.
The ideal way is obviously to have
both but budget, technology and delivery considerations might throw up the
questions, such as:
Which one to choose first? Which is more
effective and needed?
Well the answers to these questions
will obviously be dependent on the unique conditions of the
project/domain/organization but knowing definitive aspects of SAST and DAST
will help relate to circumstances.
SAST: Static Application Security Testing
As the name suggests SAST is static
application security testing and is concerned with the static code analysis and
finding vulnerabilities in code, binary, or the byte code. A running system is
not required for vulnerability assessment in this technique of security
testing. The advantages of this technique are:
ADVANTAGES of Using SAST
- Get to know the security flaws while the code is being developed
- Do not need a deployment environment to perform security testing
- Earliest possible detection of security flaws
- Encourages use of secure coding practices in organizations
- Enables identification of root cause of security issues
- Enables identification of developers following secure coding practices
- Ideal for development phase
- While it may seem that SAST is perfect it has its limitations most of which are addressed by dynamic application security testing.
DAST: Dynamic Application Security Testing
Dynamic application security testing
technique aims at identifying security vulnerabilities in runtime environment.
It aims at finding vulnerabilities by emulating hackers behaviors of attacking
the application when it is fully deployed and running. This technique does not
look at the source code or the binary to assess vulnerabilities in the
application. The advantages of this technique are as follows:
ADVANTAGES of Using DAST
- Simulates hacker behavior
- Finds vulnerabilities created by the gaps in deployment
- Can find flaws in business logic
- Capable of detecting vulnerabilities in third party libraries
- Code submission is not needed
- Comparatively lower in cost
- Easier to adopt
Since DAST is not associated with
development cycle it generally does not provide valuable feedback for infusing
security in the development process. It is more of a preventive technique
rather making secure applications as a part of the organizational DNA. It is
also difficult to trace the location or origin of the threat/vulnerability to
the exact location in the code.
False Positives
Common issue with both techniques is
the issue of false positives. Minimizing the false positives returned using
both the techniques remains a challenge though with the growth in maturity of
the security testing group they are easily identified. Most of the tools
enabling SAST or DAST enable users to customize them in order to shut/modify
the rules that return false positives.
SAST
and DAST Both Needed
DAST being the relatively cheaper
and the quick fix type of option should always be used before production
deployment. This certifies the strength of the application to counter actual
hacker threats. While SAST usage enhances the development practices in terms of
application security and addresses most of the issues in the root.
Identification of security fixes for the vulnerabilities found out using SAST
are relatively easier to fix most of the times. Both the techniques complement
each other and address threats at different levels.