Introduction to Application Security Testing
Application Security testing is an integral part of SDLC (Software development lifecycle) and used to discover the weaknesses, risks or threats in software applications and help to detect vulnerabilities hidden in applications which can be exploited. The main objective of application security testing is to find all potential vulnerabilities of an application and fix them.
The security testing is required to be done in the initial stages of the software development lifecycle because if we perform security testing later post software execution phase it will cost more to fix gaps. Testing can be manually or in automated manner. In Manual testing various methods are used such as white box testing, black box testing and so on.
Today we look more in detail about some manual testing techniques – SAST, DAST and IAST. Their features, functionalities and use cases and will understand the difference between each of these testing techniques.
DAST (Dynamic Application Security Testing)
DAST or Dynamic Application security testing is a security tool which is used for scanning any web application to discover security vulnerabilities. This tool is used to detect vulnerabilities inside a web application program which is being deployed or in production. These tools send alerts to the security team for taking remediation actions. It can be integrated early into the software development lifecycle and its focus is to help organizations to reduce and protect against risks caused by application vulnerabilities.
DAST uses a black box technology and conducts vulnerability assessment from outside and doesn’t have access to application source code. DAST is used during testing and SQ face of SDLC cycle.
Pros and Cons of DAST
- Independent of underlying platform and technology
- Good support for manual penetration
- Insufficient coverage
- No information on location issue in code base
- Output is static report
- Can be slow
SAST (Static Application Security Testing)
SAST or Static Application security testing in this source code is tested way before application is live and deployed in production environment. It helps to detect vulnerabilities in applications before everyone else comes to know about them. SAST uses a testing methodology of analysing a source code to detect any traces of vulnerabilities which could provide a backdoor for hackers. It usually analyses and scans applications before compilation of code.
It is a white box testing technique where source code is visible to the developer and it is an approach where testers test the inner structure of a software before it integrates with the external systems.
Pros and Cons of SAST
- Multiple language support
- Easy to understand
- Poor accuracy (35% false +ve reported)
- No visibility of code execution flow
- Output is static report
- Requires customization and tuning
- Can be slow
- Not for systems in production stage
IAST (Interactive Application Security Testing)
IAST or Interactive application security testing tool was designed to test both web and mobile applications to detect and report issues even when application is running. Before someone else can use IAST they should have good knowledge of DAST and SAST techniques. It uses a grey box technique and it testing occurs in real time while application is running in stagging environment. It also checks source code at post build stage.
IAST agents are usually deployed on application servers and agent returns a line number of the issue from source code. The IAST agents can be deployed on application servers and during functional testing done by QA tester. Agents will study the pattern that a data transfer inside the application follows irrespective of it is vulnerable or not.
Pros and Cons of IAST
- Accurate, can detect 100% of OWASP benchmark with no False+ves
- Flexible for use
- No need for scan or attack application
- Results are in real time
- Continuous detection and DevOps friendly
- Truly Plug & play no configuration or tuning requirements
- Requires specific language support
Comparison Table: DAST vs SAST vs IAST
Below table summarizes the differences between the three:
|Testing Technique||This is a black box testing where there is no access to internal framework that comprises of application, source code and design||This is a white box testing where access to source code, application and design is available within internal framework||This is a grey box testing and used for identification of vulnerabilities in real time|
|Testing Methodology||The complete application is tested from the inside out. It is also known as developer approach||The complete application is testing from outside in. it is often called as hacker testing||This support the accuracy of SAST through use of the run time analysis of results generated from SAST|
|Deployment requirements||It requires deployment on an application server and not require to access source code||It does not require deployment and usually analyses source code directly without execution of an application||This requires deployment of IAST agent on application servers|
|Deployment scenario in SDLC||It is used only after code is compiled||It analyses source code and used very early in SDLC||Performed during Test and QA stage of SDLC|
|Costing||This tool is expensive as vulnerabilities are detected at a later stage of SDLC at times in the end.||It is not very expensive because vulnerabilities are detected very early in SDLC and remediated before code is in motion||Highly priced|
|Scanning techniques||It only scan applications by using dynamic analysis to detect run time vulnerabilities||It scans only static code and can’t discover run time vulnerabilities||Supports real time scanning|
|Applications supported||It scans only web applications||It supports all kind of applications||Supports web and mobile applications|
|Process type||DAST is a validation process and used to find and fix defects||SAST is a verification process and used to find defects||It is both validation and verification and combine the best of both SAST and DAST|
Download the comparison table: DAST vs SAST vs IAST
SAST, DAST and IAST are good security tools that can complement each other provided the organization has enough financial budget to support them. Security experts advise to use more than one combination of tools in the environment to address the majority of vulnerabilities.