Quote

"Between stimulus and response there is a space. In that space is our power to choose our response.
In our response lies our growth and freedom"


“The only way to discover the limits of the possible is to go beyond them into the impossible.”


Thursday, 11 December 2014

Static or Dynamic Security? How to Prioritize Between SAST or DAST?



When it comes to picking up a security testing strategy there are multiple options and players with varied recommendations. One of the dilemma is to which of the testing strategies to choose between Static and Dynamic commonly known as SAST and DAST. 

The ideal way is obviously to have both but budget, technology and delivery considerations might throw up the questions, such as:

Which one to choose first? Which is more effective and needed?

Well the answers to these questions will obviously be dependent on the unique conditions of the project/domain/organization but knowing definitive aspects of SAST and DAST will help relate to circumstances.

SAST: Static Application Security Testing

As the name suggests SAST is static application security testing and is concerned with the static code analysis and finding vulnerabilities in code, binary, or the byte code. A running system is not required for vulnerability assessment in this technique of security testing. The advantages of this technique are:

ADVANTAGES of Using SAST

  • Get to know the security flaws while the code is being developed
  • Do not need a deployment environment to perform security testing
  • Earliest possible detection of security flaws
  • Encourages use of secure coding practices in organizations
  • Enables identification of root cause of security issues
  • Enables identification of developers following secure coding practices
  • Ideal for development phase
  • While it may seem that SAST is perfect it has its limitations most of which are addressed by dynamic application security testing.

DAST: Dynamic Application Security Testing

Dynamic application security testing technique aims at identifying security vulnerabilities in runtime environment. It aims at finding vulnerabilities by emulating hackers behaviors of attacking the application when it is fully deployed and running. This technique does not look at the source code or the binary to assess vulnerabilities in the application. The advantages of this technique are as follows:

ADVANTAGES of Using DAST
  • Simulates hacker behavior
  • Finds vulnerabilities created by the gaps in deployment
  • Can find flaws in business logic
  • Capable of detecting vulnerabilities in third party libraries
  • Code submission is not needed
  • Comparatively lower in cost
  • Easier to adopt
Since DAST is not associated with development cycle it generally does not provide valuable feedback for infusing security in the development process. It is more of a preventive technique rather making secure applications as a part of the organizational DNA. It is also difficult to trace the location or origin of the threat/vulnerability to the exact location in the code.

False Positives

Common issue with both techniques is the issue of false positives. Minimizing the false positives returned using both the techniques remains a challenge though with the growth in maturity of the security testing group they are easily identified. Most of the tools enabling SAST or DAST enable users to customize them in order to shut/modify the rules that return false positives.

SAST and DAST Both Needed

DAST being the relatively cheaper and the quick fix type of option should always be used before production deployment. This certifies the strength of the application to counter actual hacker threats. While SAST usage enhances the development practices in terms of application security and addresses most of the issues in the root. Identification of security fixes for the vulnerabilities found out using SAST are relatively easier to fix most of the times. Both the techniques complement each other and address threats at different levels.

1 comment:

  1. Nice blog. Thanks for providing complete information about static application security testing SAST and DAST security.

    ReplyDelete