AST tools are one of the pillars of any Application Security practice. We believe that applications should be built secure from the very beginning, so we advocate for developers to take an active role in AppSec. As a result, we believe that all developers should have a basic knowledge of Application Security Testing (AST) tools such as SAST and DAST, compared to the more modern IAST. However, we still find that developers and architects frequently lack a good understanding of them.
Table of contents
What is SAST? A short definition
What is DAST?
SAST vs DAST
What is IAST? The modern AST tool
SAST vs DAST vs IAST
Beyond the IAST: upgrading to a RASP
So what exactly are SAST, DAST, and IAST? How do SAST vs DAST compare to IAST? Let’s do a quick review including definitions, pros, and cons.
What is SAST? A short definition
SAST or Static Application Security Testing tools, also known as code analyzers, perform a direct white-box analysis of the application source code. The analysis runs on a static view of code, meaning that the code is not running at the time of the review. These days, SAST security tools are fully mainstream, and they are widely adopted across the software industry.
SAST Pros
- Broad programming language support
- The principle is easy to understand
SAST Cons
- Poor accuracy: 53% of issues detected are non-existent (false positives) [1]
- Antiquated technology that has not evolved
- SAST code analyzers have no visibility of the execution flow
- The output is a static report that quickly becomes outdated
- They often require some customization or tuning
- Not applicable to systems in Production stage
- Can be slow
What is DAST?
Let’s continue with one of the best-known AST tools, the veritable Dynamic Application Security Testing (DAST), also known as web scanner. As opposed to SASTs, DASTs conduct black-box analysis of the application, meaning that they do not have access to the code or the implementation details. DASTs examine only the system’s responses to a battery of tests designed to highlight vulnerabilities. They are, in short, a vulnerability scanner.
DAST Pros
- Independent of the underlying app technology and platform
- DASTs provide good support for manual pentesting
DAST Cons
- Insufficient coverage: a best-in-class DAST detects only 18% of issues [1]
- No information on the location of the issue in the codebase
- Security background is required to interpret the results
- The output is a static report that quickly becomes outdated
- Can be slow
SAST vs DAST
The main difference between SAST and DAST is that a SAST provides a static and internal analysis of the application, while a DAST provides a dynamic (runtime) and external analysis of the application.
In terms of detection accuracy, a SAST code scanner will find more security issues than a DAST, at the cost of having a large number of false positives.
And in terms of fit to the SDLC stages, a SAST will fit well in the Development and QA stages, while a web scanner is mostly useful during QA and Production stages, as it requires the application to be up and running to work. On the other hand, a SAST requires direct access to the source code, while a DAST does not.
What is IAST? The modern AST tool
Interactive Application Security Testing (IAST) combine the best of a SAST and a DAST. IAST security tools provide the advantages of a static view, because they can see the source code, and also the advantages of a web scanner approach, since they see the execution flow of the application during runtime.
BONUS: Free White Paper
Eliminate the noise of false positives with IAST technology. Learn the answers to the key questions regarding IAST tools.
Get Your Whitepaper
IAST Pros
- Accuracy, as they detect 100% of OWASP Benchmark with no false positives
- Flexibility, as IASTs can be used in QA and Production environments
- Coverage, since dependencies and legacy components are analyzed as well
- No need to scan, no need to attack the application
- Results are provided in real time
- Continuous detection, which is DevOps-friendly
- Truly Plug&Play, no configuration or tuning is required
- Communication with task management systems creates interconnected workflows
IAST Cons
- IAST tools require specific language support
SAST vs DAST vs IAST
The IAST technology combines and enhances the benefits of SAST and DAST. The accuracy of an IAST vastly improves that of SAST and DAST, because it benefits from the static and runtime points-of-view.
An IAST is more flexible than SAST and DAST because it can be used by multiple teams through the entire SDLC.
The vulnerability details provided by an IAST are also more helpful since it provides the static information (source file and line number) and the dynamic information (URL and parameters), in addition to the type and severity of the vulnerability. This means that the resolution of the issue happens faster.
The IAST detection approach is continuous, and there is no need to scan or attack the application: any regular traffic becomes a security analysis.
Beyond the IAST: Upgrading to a RASP
After covering SAST, DAST, and IAST, are you ready for another acronym? Just one more! RASP stands for Runtime Application Self-Protection, and this technology leverages the IAST instrumentation principles to offer a protection solution that competes against WAFs.
Most teams begin by testing instrumentation in IAST mode (non-blocking), and once they feel comfortable, graduate to RASPs (full-blocking mode). So, another benefit of IASTs is offering room to grow.
Sources:
[1] OWASP Benchmark