Web Application Security Testing: SAST, DAST or IAST?Monday, August 10, 2015
In this short blog post we will try to understand in quick and simple manner the difference between SAST and DAST testing methodologies, their advantages and disadvantages, as well as utility to combine them from the business point of view.
Since 2011 Gartner has been speaking about combining SAST and DAST approaches to application security testing (AST) raising a lot of question around it. In this short blog post we will try to understand in quick and simple manner the difference between SAST and DAST testing methodologies, their advantages and disadvantages, as well as utility to combine them from the business point of view.
The recommendations and facts mentioned below mainly apply to the web applications that have become the weakest point in corporate defense.
Static Application Security Testing (SAST) consists of internal audit of an application, when security auditor or tool has unlimited access to the application source code or binary. Probably one of the biggest services offered on Managed Security Services market as SAST - is a source code review that can be performed both manually and automatically. One of the biggest advantages of SAST is that it can detect the most complicated vulnerabilities that are invisible and undetectable if you don’t have the source code. Moreover, SAST will give you a precise location of the flaw in your code, including the line number. However, that’s probably the only solid advantage that SAST has over other methodologies. From the business point of view, companies have no interest to spend money on detection, and especially on remediation, of security flaws that attackers may exploit only if they compromise the application source code. Moreover, usually SAST solution requires to be integrated into corporate SDLC to detect and correct software vulnerabilities before deployment of the application to production environment – something that majority of software developers hate to do. Among SAST disadvantages, we can highlight a high number of false-positives (for automated solutions and tools) and inability to test application in real environment, where a third-party code, application logic or insecure configuration may introduce serious vulnerabilities. Nevertheless, for business-critical applications that are planned to be amortized during a long period of time within organization - SAST remains very useful, comprehensive and efficient approach.
Dynamic Application Security Testing (DAST) tests the application from the “outside” when the application is running in test or production environment. Practically speaking, a Black Box penetration test, automated or managed vulnerability scanning can be classified as DAST. Among DAST advantages we can highlight rapidity, flexibility and scalability, as well as quick and simple integration into corporate security strategy without directly involving [unhappy] web developers (that are quite often outsourced or externalized to cut the costs). However, fully-automated DAST solutions also have significant limitations: false-positives and false-negatives. False-negatives (missed vulnerabilities) are probably the biggest problem of all automated solutions, as many complicated or unexploitable [from the outside] vulnerabilities can remain undetected. Nevertheless, from the business point of view, DAST remains highly efficient, fast and easy-to-deploy solution for vulnerability and weakness detection.
Interactive Application Security Testing (IAST) is a combination of SAST and DAST designed to leverage the advantages and strength of both. However, from the practical point of view, implementation of an IAST solution remains not an easy task. Positive Technologies wrote a very good piece about IAST challenges, where they referred to it as “crossing a hedgehog with a snake”. Obviously, when you can correlate the results from SAST and DAST testing - you will get the broadest vision of application security problems. However, manual or semi-manual time-consuming correlation will not be a true IAST solution that supposed to independently interact "on-fly" between SAST and DAST sub-solutions.
As a conclusion, we may recommend using both SAST and DAST or combination of both, depending on the business needs and priorities of your organization. For the majority of live web applications DAST would be perfectly enough to prevent the most critical practical cyber risks of your business.
While for highly-critical web applications and Web Services - SAST code review may be also very useful to make sure that no hidden vulnerabilities were missed during the DAST audit.