SAST vs DAST: How should you choose ?

What is SAST?

SAST or Static Application Security Testing is the process of testing the source code, binary or byte code of an application. In SAST you do not need a running system.


What is DAST?

DAST or Dynamic Application Security Testing is the process of testing an application during its running state.  In DAST you do not need the source code or the binaries. It is a method to probe from outside just like a hacker.

SAST: Pros and Cons

• SAST can pin point the code where the flaw is
• You can detect vulnerabilities before it is deployed: SAST does not need a running application
• Using SAST you can find vulnerabilities in an earlier phase of the Application’s development

• SAST fails to find vulnerabilities located outside the code or in third party interfacing
• SAST cannot find out vulnerabilities related to operational deployment
• Business Logic vulnerabilities cannot be discovered by a typical SAST automated tool
• SAST is more expensive and has higher overhead
• You need to provide the source code or binaries for SAST

(Read more:   How Should a CISO choose the right Anti-Malware Technology?)


DAST: Pros and Cons

• DAST can detect vulnerabilities related to operational deployment
• Business Logic Flaws can be figured out by DAST if you are using Hybrid Testing (with manual augmentation)
• Does not need access to code.
• DAST is easier to adopt, lower in cost and is more mature in terms of industry adoption
• DAST can find vulnerabilities located outside the code or in third party interfacing

• DAST cannot pin point the exact location of vulnerability in the code
• Coding quality or adherence to coding guidelines cannot be understood easily

 (Read more: 5 of the most famous and all time favourite white hat hackers!)

A Few SAST myths

• Myth 1: SAST gives better coverage: It is a myth that SAST gives better coverage. SAST cannot find vulnerabilities in Business Logic or in third party code/interfacing.
• Myth 2: SAST has lower false positive: This is not true. All tools throw out a lot of false positives irrespective of SAST or DAST. Human augmentation is the only way to remove all false positives.

When to choose DAST?

• Ideally DAST should be adopted irrespective of SAST since you want to know the flaws (including Business Logic Flaws, Flaws due to third party code etc) which SAST cannot find. DAST gives you the picture from the perspective of a hacker.
• DAST should be adopted prior to the system going live or during every release(production).
• When you do not have access to code or don’t want to give access to it.

(Watch more : South Asia's Cyber Security Landscape after the Snowden Revelations)

When to choose SAST?

• SAST is ideal if you want to test the application while it is being built
• You have access to the code/binary and have enough maturity in the organization and the budget to handle it.


Final words
Neither SAST nor DAST is enough. They are complimentary to a certain extent. The future is in the smart integration of SAST and DAST technologies.


(More:  Want to share your insights? Click here to write an article at CISO Platform)


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Virtual Summit - Best Of The World In Security 2021

  • Description:

    This conference celebrates the foremost security researchers and trainers in the world. This is co-hosted by CISO Platform and SACON with 40,000+ global security professionals. Our vision is to promote collaborative and cooperative learning with the best of the minds in Cyber Security.

    Link to register :

  • Created by: pritha