SAST, DAST and IAST - What's the Difference?

by

Application Security Testing can be broadly classified into Static Application Security Testing and Dynamic Application Security Testing.

The two type of testing do not compete but rather complement each other. A robust application security testing plan can be developed for a project if the two types of testing are used rightly during different phases of development.  By planning the static and dynamic testing during the relevant phases, the whole SDLC is covered for security testing.

The following is a summary of SAST Vs DAST and this information can help you in finalizing your application security testing strategy.

SAST

DAST

General

Analyzes source code to find vulnerabilities and flaws

Tests application from outside in its running state

 

 

White Box vs Black Box

Testing is from a developer’s perspective

Testing is from a hacker’s perspective. Tries to attack the application like a hacker would

The tester has complete knowledge on the underlying frameworks and design

The tester does not have any information on the underlying architecture of the application

 

 

SDLC Phase

Can be done in the initial phases of the SDLC

such as coding

Can be done only in the final phase (UAT, Go-live) since the application needs to be up and running

 

 

Environment & Run-time Issues

Run time flaws cannot be detected since SAST scans the static code

Run time issues can be discovered. This is critical since runtime and environment issues can be showstoppers

 

 

CI/CD compatibility

Can be integrated with the CI/CD environments

DAST can be integrated only after the application build is ready and running

 

 

Language Support

SAST cannot be used if the SAST tool does not support the language used for development

DAST does not have any dependency on the language in which the software is coded

 

 

Others

Developers have higher involvement in the security aspect which in turn helps build security into the application design

Developers do not get clear visibility into the security aspects of the application and any fixes may become first-aids rather than resolving design issues


Cost- Benefit Analysis of SAST

While DAST is employed in many cases of application security testing, there is always apprehension about using SAST considering the cost involved in procuring and integrating a SAST tool.

A SAST tool does involve initial set up costs that include licensing, developer training and integration. However, it certainly involves significant saving in finding the flaws earlier during the development cycle. A research done by IBM System-Science-Institute reveals that the cost of fixing a flaw in the later stage is exponentially higher.

Filed in: Risk & Security
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Srinivas Kedarisetty
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|