AST tools are one of the pillars of any Application Security practice. We believe that applications should be built secure from the very beginning, so we advocate for developers to take an active role in AppSec. As a result, we believe that all developers should have a basic knowledge of Application Security Testing (AST) tools such as SAST and DAST, compared to the more modern IAST. However, we still find that developers and architects frequently lack a good understanding of them.
So what exactly are SAST, DAST, and IAST? How do SAST vs DAST compare to IAST? Let’s do a quick review including definitions, pros, and cons.
What is SAST? A short definition
SASTs or Static Application Security Testing tools perform a direct white-box analysis of the application source code. The analysis runs on a static view of code, meaning that the code is not running at the time of the review. These days, SASTs are fully mainstream, and they are widely adopted across the software industry.
SAST Pros
- Broad programming language support
- The principle is easy to understand
SAST Cons
- Poor accuracy: 53% of issues detected are non-existent (false positives) [1]
- Antiquated technology that has not evolved
- SASTs have no visibility of the execution flow
- The output is a static report that quickly becomes outdated
- They often require some customization or tuning
- Not applicable to systems in Production stage
- Can be slow
What is DAST?
Let’s continue with one of the best-known AST tools, the veritable Dynamic AST. As opposed to SASTs, DASTs conduct black-box analysis of the application, meaning that they do not have access to the code or the implementation details. DASTs examine only the system’s responses to a battery of tests designed to highlight vulnerabilities. They are, in short, a vulnerability scanner.
DAST Pros
- Independent of the underlying app technology and platform
- DASTs provide good support for manual pentesting
DAST Cons
- Insufficient coverage: a best-in-class DAST detects only 18% of issues [1]
- Security background is required to interpret the results
- The output is a static report that quickly becomes outdated
- Can be slow
IAST: the modern AST
Interactive ASTs combine the best of a SAST and a DAST. IASTs provide the advantages of a static view, because they can see the source code, and also the advantages of a DAST approach, since they see the execution flow of the application during runtime.
IAST Pros
- Accuracy, as they detect 100% of OWASP Benchmark with no false positives
- Flexibility, as IASTs can be used in QA and Production environments
- Results are provided in real time
- Continuous detection, which is DevOps-friendly
- Truly Plug&Play, no configuration or tuning is required
- Communication with task management systems creates interconnected workflows
IAST Cons
- IAST tools require specific language support
Beyond the IAST: upgrading to a RASP
After covering SAST, DAST, and IAST, are you ready for another acronym? Just one more! RASP stands for Runtime Application Self-Protection, and this technology leverages the IAST instrumentation principles to offer a protection solution that competes against WAFs.
Most teams begin by testing instrumentation in IAST mode (non-blocking), and once they feel comfortable, graduate to RASPs (full-blocking mode). So, another benefit of IASTs is offering room to grow.
Sources:
[1] OWASP Benchmark