What is SAST?
SAST or Static Application Security Testing is the process of testing the source code, binary or byte code of an application. In SAST you do not need a running system.
What is DAST?
DAST or Dynamic Application Security Testing is the process of testing an application during its running state. In DAST you do not need the source code or the binaries. It is a method to probe from outside just like a hacker.
SAST: Pros and Cons
• SAST can pin point the code where the flaw is
• You can detect vulnerabilities before it is deployed: SAST does not need a running application
• Using SAST you can find vulnerabilities in an earlier phase of the Application’s development
• SAST fails to find vulnerabilities located outside the code or in third party interfacing
• SAST cannot find out vulnerabilities related to operational deployment
• Business Logic vulnerabilities cannot be discovered by a typical SAST automated tool
• SAST is more expensive and has higher overhead
• You need to provide the source code or binaries for SAST
DAST: Pros and Cons
• DAST can detect vulnerabilities related to operational deployment
• Business Logic Flaws can be figured out by DAST if you are using Hybrid Testing (with manual augmentation)
• Does not need access to code.
• DAST is easier to adopt, lower in cost and is more mature in terms of industry adoption
• DAST can find vulnerabilities located outside the code or in third party interfacing
• DAST cannot pin point the exact location of vulnerability in the code
• Coding quality or adherence to coding guidelines cannot be understood easily
A Few SAST myths
• Myth 1: SAST gives better coverage: It is a myth that SAST gives better coverage. SAST cannot find vulnerabilities in Business Logic or in third party code/interfacing.
• Myth 2: SAST has lower false positive: This is not true. All tools throw out a lot of false positives irrespective of SAST or DAST. Human augmentation is the only way to remove all false positives.
When to choose DAST?
• Ideally DAST should be adopted irrespective of SAST since you want to know the flaws (including Business Logic Flaws, Flaws due to third party code etc) which SAST cannot find. DAST gives you the picture from the perspective of a hacker.
• DAST should be adopted prior to the system going live or during every release(production).
• When you do not have access to code or don’t want to give access to it.
When to choose SAST?
• SAST is ideal if you want to test the application while it is being built
• You have access to the code/binary and have enough maturity in the organization and the budget to handle it.
Neither SAST nor DAST is enough. They are complimentary to a certain extent. The future is in the smart integration of SAST and DAST technologies.