Back
Application Security Testing - DAST, SAST, IAST

DAST, SAST, IAST: Types of Application Security Testing

Introduction to Application Security Testing

Application Security testing is an integral part of SDLC (Software development lifecycle) and used to discover the weaknesses, risks or threats in software applications and help to detect vulnerabilities hidden in applications which can be exploited. The main objective of application security testing is to find all potential vulnerabilities of an application and fix them.

The security testing is required to be done in the initial stages of the software development lifecycle because if we perform security testing later post software execution phase it will cost more to fix gaps. Testing can be manually or in automated manner. In Manual testing various methods are used such as white box testing, black box testing and so on. 

Today we look more in detail about some manual testing techniques – SAST, DAST and IAST. Their features, functionalities and use cases and will understand the difference between each of these testing techniques. 

 

DAST (Dynamic Application Security Testing) 

DAST or Dynamic Application security testing is a security tool which is used for scanning any web application to discover security vulnerabilities. This tool is used to detect vulnerabilities inside a web application program which is being deployed or in production. These tools send alerts to the security team for taking remediation actions. It can be integrated early into the software development lifecycle and its focus is to help organizations to reduce and protect against risks caused by application vulnerabilities.

DAST uses a black box technology and conducts vulnerability assessment from outside and doesn’t have access to application source code. DAST is used during testing and SQ face of SDLC cycle. 

Pros and Cons of DAST

PROS

  • Independent of underlying platform and technology
  • Good support for manual penetration 

CONS

  • Insufficient coverage
  • No information on location issue in code base
  • Output is static report
  • Can be slow 

SAST (Static Application Security Testing)

SAST or Static Application security testing in this source code is tested way before application is live and deployed in production environment. It helps to detect vulnerabilities in applications before everyone else comes to know about them. SAST uses a testing methodology of analysing a source code to detect any traces of vulnerabilities which could provide a backdoor for hackers. It usually analyses and scans applications before compilation of code. 

It is a white box testing technique where source code is visible to the developer and it is an approach where testers test the inner structure of a software before it integrates with the external systems. 

Pros and Cons of SAST

PROS

  • Multiple language support
  • Easy to understand

CONS

  • Poor accuracy (35% false +ve reported)
  • No visibility of code execution flow
  • Output is static report
  • Requires customization and tuning
  • Can be slow
  • Not for systems in production stage 

 

IAST (Interactive Application Security Testing) 

IAST or Interactive application security testing tool was designed to test both web and mobile applications to detect and report issues even when application is running. Before someone else can use IAST they should have good knowledge of DAST and SAST techniques. It uses a grey box technique and it testing occurs in real time while application is running in stagging environment. It also checks source code at post build stage.

IAST agents are usually deployed on application servers and agent returns a line number of the issue from source code. The IAST agents can be deployed on application servers and during functional testing done by QA tester. Agents will study the pattern that a data transfer inside the application follows irrespective of it is vulnerable or not. 

Pros and Cons of IAST

PROS

  • Accurate, can detect 100% of OWASP benchmark with no False+ves
  • Flexible for use
  • No need for scan or attack application
  • Results are in real time
  • Continuous detection and DevOps friendly 
  • Truly Plug & play no configuration or tuning requirements 

CONS

  • Requires specific language support

 

Comparison Table: DAST vs SAST vs IAST

Below table summarizes the differences between the three:

FUNCTION

DASTSAST

IAST

Testing TechniqueThis is a black box testing where there is no access to internal framework that comprises of application, source code and designThis is a white box testing where access to source code, application and design is available within internal frameworkThis is a grey box testing and used for identification of vulnerabilities in real time
Testing MethodologyThe complete application is tested from the inside out. It is also known as developer approachThe complete application is testing from outside in. it is often called as hacker testingThis support the accuracy of SAST through use of the run time analysis of results generated from SAST
Deployment requirementsIt requires deployment on an application server and not require to access source codeIt does not require deployment and usually analyses source code directly without execution of an applicationThis requires deployment of IAST agent on application servers
Deployment scenario in SDLCIt is used only after code is compiledIt analyses source code and used very early in SDLCPerformed during Test and QA stage of SDLC
CostingThis tool is expensive as vulnerabilities are detected at a later stage of SDLC at times in the end.It is not very expensive because vulnerabilities are detected very early in SDLC and remediated before code is in motionHighly priced
Scanning techniquesIt only scan applications by using dynamic analysis to detect run time vulnerabilitiesIt scans only static code and can’t discover run time vulnerabilitiesSupports real time scanning
Applications supportedIt scans only web applicationsIt supports all kind of applicationsSupports web and mobile applications
Process typeDAST is a validation process and used to find and fix defectsSAST is a verification process and used to find defectsIt is both validation and verification and combine the best of both SAST and DAST

Download the comparison table: DAST vs SAST vs IAST

Conclusion

SAST, DAST and IAST are good security tools that can complement each other provided the organization has enough financial budget to support them. Security experts advise to use more than one combination of tools in the environment to address the majority of vulnerabilities. 

Continue Reading:

What is SAST (Static Application Security Testing) ?

What is Penetration Testing or Pen Test?

Tag:,

Rashmi Bhardwaj

I am here to share my knowledge and experience in the field of networking with the goal being - "The more you share, the more you learn."

I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.

I am a strong believer of the fact that "learning is a constant process of discovering yourself."
- Rashmi Bhardwaj (Author/Editor)

You may also like

Simplifying Power over Ethernet PoE Installation
Simplifying Power over Ethernet PoE Installation
19 November, 2024
Cloudflare – What is it
What is Cloudflare? Working, Uses, Pros & Cons
14 November, 2024
Configure DHCP Relay Traffic to Use SD-WAN Rules
Configure DHCP Relay Traffic to Use SD-WAN Rules
12 November, 2024

Leave A Reply

Your email address will not be published. Required fields are marked *

15 + 6 =

Select your currency
USD United States (US) dollar
INR Indian rupee