SAST & DAST vs IAST: All You Need to Know About AST Tools

AST tools are one of the pillars of any Application Security practice. We believe that applications should be built secure from the very beginning, so we advocate for developers to take an active role in AppSec. As a result, we believe that all developers should have a basic knowledge of Application Security Testing (AST) tools such as SAST and DAST, compared to the more modern IAST. However, we still find that developers and architects frequently lack a good understanding of them.

Table of contents

What is SAST? A short definition
What is DAST?
SAST vs DAST
What is IAST? The modern AST tool
SAST vs DAST vs IAST
Beyond the IAST: upgrading to a RASP

So what exactly are SAST, DAST, and IAST? How do SAST vs DAST compare to IAST? Let’s do a quick review including definitions, pros, and cons.

What is SAST? A short definition

SAST or Static Application Security Testing tools, also known as code analyzers, perform a direct white-box analysis of the application source code. The analysis runs on a static view of code, meaning that the code is not running at the time of the review. These days, SAST security tools are fully mainstream, and they are widely adopted across the software industry.

SAST Pros

• Broad programming language support
• The principle is easy to understand

SAST Cons

• Poor accuracy: 53% of issues detected are non-existent (false positives) [1]
• Antiquated technology that has not evolved
• SAST code analyzers have no visibility of the execution flow
• The output is a static report that quickly becomes outdated
• They often require some customization or tuning
• Not applicable to systems in Production stage
• Can be slow

What is DAST?

Let’s continue with one of the best-known AST tools, the veritable Dynamic Application Security Testing (DAST), also known as web scanner. As opposed to SASTs, DASTs conduct black-box analysis of the application, meaning that they do not have access to the code or the implementation details. DASTs examine only the system’s responses to a battery of tests designed to highlight vulnerabilities. They are, in short, a vulnerability scanner.

DAST Pros

• Independent of the underlying app technology and platform
• DASTs provide good support for manual pentesting

DAST Cons

• Insufficient coverage: a best-in-class DAST detects only 18% of issues [1]
• No information on the location of the issue in the codebase
• Security background is required to interpret the results
• The output is a static report that quickly becomes outdated
• Can be slow

SAST vs DAST

The main difference between SAST and DAST is that a SAST provides a static and internal analysis of the application, while a DAST provides a dynamic (runtime) and external analysis of the application.

In terms of detection accuracy, a SAST code scanner will find more security issues than a DAST, at the cost of having a large number of false positives.

And in terms of fit to the SDLC stages, a SAST will fit well in the Development and QA stages, while a web scanner is mostly useful during QA and Production stages, as it requires the application to be up and running to work. On the other hand, a SAST requires direct access to the source code, while a DAST does not.

What is IAST? The modern AST tool

Interactive Application Security Testing (IAST) combine the best of a SAST and a DAST. IAST security tools provide the advantages of a static view, because they can see the source code, and also the advantages of a web scanner approach, since they see the execution flow of the application during runtime.

IAST Pros

• Accuracy, as they detect 100% of OWASP Benchmark with no false positives
• Flexibility, as IASTs can be used in QA and Production environments
• Coverage, since dependencies and legacy components are analyzed as well
• No need to scan, no need to attack the application
• Results are provided in real time
• Continuous detection, which is DevOps-friendly
• Truly Plug&Play, no configuration or tuning is required
• Communication with task management systems creates interconnected workflows

IAST Cons

• IAST tools require specific language support

SAST vs DAST vs IAST

The IAST technology combines and enhances the benefits of SAST and DAST. The accuracy of an IAST vastly improves that of SAST and DAST, because it benefits from the static and runtime points-of-view.

An IAST is more flexible than SAST and DAST because it can be used by multiple teams through the entire SDLC.

The vulnerability details provided by an IAST are also more helpful since it provides the static information (source file and line number) and the dynamic information (URL and parameters), in addition to the type and severity of the vulnerability. This means that the resolution of the issue happens faster.

The IAST detection approach is continuous, and there is no need to scan or attack the application: any regular traffic becomes a security analysis.

	SAST	DAST	Hdiv IAST
Detection Rate	84% Best in class SAST	18% Best in class DAST	100% Hdiv Detection (IAST)
False Positive Rate	53% Best in class SAST	1% Best in class DAST	0% Hdiv Detection (IAST)
One solution for Development, QA, and Production
Allows Continuous Security Testing
Third-Party Vulnerability Detection (SCA)
Actionable Feedback	Partial Points to vulnerable lines of code	Low Difficult to deduce location of problem	High Points to vulnerable lines of code + URL & Parameters

Beyond the IAST: Upgrading to a RASP

After covering SAST, DAST, and IAST, are you ready for another acronym? Just one more! RASP stands for Runtime Application Self-Protection, and this technology leverages the IAST instrumentation principles to offer a protection solution that competes against WAFs.

Most teams begin by testing instrumentation in IAST mode (non-blocking), and once they feel comfortable, graduate to RASPs (full-blocking mode). So, another benefit of IASTs is offering room to grow.

Sources:

[1] OWASP Benchmark