Web Application Security Testing: SAST, DAST or IAST?

Since early 2011 Gartner has been writing about how to combine Static application security testing (SAST) and Dynamic application security testing (DAST) approaches to application security testing and raising many questions about the subject. This post will explain the differences between the two methodologies, the advantages disadvantages of the two approaches and how they can work together from a business perspective and from the perspective of web applications, as these are the weakest in term of security.

Static Application Security Testing (SAST) 

Static Application Security Testing (SAST) tests the web application from the inside and is an internal audit of an application. This can be carried when the auditor or tool has full access full access to the source code.

One of the main services offered in the Managed Security Services sector is a source code review, which can be carried out manually by an auditor or automatically with a tool.

Advantages of SAST

SAST offers many advantages, the biggest being that it can detect highly complex vulnerabilities that are not visible without access to the source code.

In addition, SAST will tell you the precise location of any flaw in the source code including the line number, which makes it an extremely useful methodology. Having said that, this is probably the most useful feature of SAST and is the only advantage that it has over other web application security testing methodologies. It can be difficult for companies to justify using this methodology, as spending time on finding and fixing flaws that can hackers can only exploit if they have access to source code, can be a drain on resources, which could be used to find more pressing threats.

Furthermore, the SAST solution usually needs to be integrated into the Systems Development Life-cycle (SDLC) to detect vulnerabilities before deployment of the application in the live environment, which can make it difficult to implement. 

One of the biggest flaws in using the SAST methodology is the number of false positives generated from using automated tools as well as the inability to test application in real environment, where a third-party code, application logic or insecure configuration may introduce serious vulnerabilities. Nonetheless, SAST is very useful for business-critical applications that are planned over a long period of time.

Dynamic Application Security Testing (DAST)  

Dynamic Application Security Testing (DAST) tests the application from the “outside” when the application is running in test or production environment. A Black Box penetration test or an automated or managed vulnerability scanning can be classified as DAST.

Advantages of DAST

There are many advantages to the DAST methodology of application testing including:

  • The rapid nature in which tests can be carried out.

  • DAST offers a high level of flexibility and scalability

  • It can be integrated quickly into a corporate security strategy

However, there are many limitations to using fully-automated DAST solutions including:

  • False-negatives

  • False-positives

False-negatives probably create the biggest problem of all, as these are missed vulnerabilities, that can create security problems later. With this solution, many complicated vulnerabilities go undetected. Nevertheless, from the business point of view, DAST remains highly efficient, fast and easy-to-deploy solution for vulnerability and weakness detection.

Interactive Application Security Testing (IAST)

Interactive Application Security Testing (IAST) is a combination of both SAST and DAST designed to leverage the advantages and strength of both. However, IAST can be difficult to implement from a practical point of view.

When you combine the results of DAST and SAST testing, you will get the broadest overview of web application security issues, however manual or semi-manual combination of data is not a true IAST solution that is meant to interact on the fly between SAST and DAST.

Conclusion

It is recommended using both SAST and DAST or a combination of the two to test web applications, in line with the requirements of your business. For the majority of live web applications, DAST is adequate to prevent the most critical practical cyber risks of your business. 

While for highly-critical web applications and Web Services, a SAST code review may be also very useful to make sure that no hidden vulnerabilities were missed during the DAST audit. You may also consider using a web application security company like High-Tech Bridge to carry out a security audit on your web applications.