Application security used to be an afterthought until a few years ago, but the exponential rise in cybercrime and malicious activity has made organizations pay more attention to this crucial aspect. This realization has also brought up a widespread discussion about the pros and cons of the various AppSec solutions that are on offer in the market.
While Penetration (Pen) Testing, Interactive Application Security Testing (IAST) and Web Application Firewalls (WAF) are widely recognized security methodologies, they are typically used as processes to compliment the two most popular solutions in use today – Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
SAST vs DAST will be discussed around 5 parameters in this article:
- Software Development Life Cycle (SDLC) Integration.
- Continuous Integration Continuous Deployment (CICD) Implementation.
- Vulnerability Coverage and Effectiveness.
- Mitigation/Remediation Performance.
- Return of Investment (ROI).
Is SAST (White Box testing) truly effective in detecting today’s commonly found vulnerabilities? Or is DAST (Black Box testing) the better option?
SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC) INTEGRATION.
How do SAST and DAST stack up when it comes to creating a secure SDLC (sSDLC)?
Creating a secure Software Development Life Cycle (sSDLC) is starting to become one of the most comprehensive ways of ensuring safe web and mobile application development. But the three fundamentally different patterns implemented in today’s leading application development organizations are posing a huge challenge on the security front.
- Waterfall (Sequential Design Process)
- Agile/DevOps (Iterative Development)
- Continuous Integration Continuous Development (CICD)
Big organizations often have more than one of these being used simultaneously, as per the needs of the different development teams working on the project.
Static Application Security Testing (SAST) – SAST solutions such as Source Code Analysis (SCA) have the flexibility needed to perform in all types of SDLC methodologies.
SAST solutions can be integrated directly into the development environment. This enables the developers to monitor their code constantly. Scrum Masters and Product Owners can also regulate security standards within their development teams and organizations. This leads to quick mitigation of vulnerabilities and enhanced code integrity.
Dynamic Application Security Testing (DAST) – Black Box testing is ideally suited for Waterfall environments, but falls short in the more progressive development methods due to its inherited limitations. DAST tools can’t be used on source code or uncomplied application codes, delaying the security deployment till the latter stages of development.
CONTINUOUS INTEGRATION CONTINUOUS DEPLOYMENT IMPLEMENTATION.
SAST vs DAST when implemented in CICD environments (Agile, DevOps).
Continuous Integration security starts with proper implementation of the methodology. Secure and comprehensive Continuous Integration (CI) security involves the following stages: Scrums, Centralized code repository, Build Automation, Revision Control Functionality, Automated Quality Assurance (QA) and Code Consolation.
Static Application Security Testing (SAST) – These solutions, such as Source Code Analysis (SCA), are fully capable of covering all stages of the CI process. From the security analysis in daily Scrum meetings, through automated scanning of code repositories all the way to testing built application. This enables the early detection and mitigation of vulnerabilities.
In the CICD methodology the product is in a continuous state of release despite numerous development teams working on it. SAST is capable of being an automated testing solution, something that goes hand in hand with CICD. Once vulnerabilities are detected, teams can easily deploy fixes and eventually produce robust applications.
Dynamic Application Security Testing (DAST) – DAST falls short yet again due to its inherited characteristics, which enable it to start working only after the build is complete. This is not ideal for Continuous Integration scenarios, where the code is committed on a frequent basis and where automation is the key in virtually all development stages.
VULNERABILITY COVERAGE AND EFFECTIVENESS
Vulnerability coverage and effectiveness.
With the evolution of cybercrime, organizations need comprehensive security solutions that can give them maximum coverage. The most commonly used vulnerabilities, namely SQLi, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) are featured in today’s top reference lists such as the OWASP Top-10 and SANS Top 25 Software Errors.
Traditional hacking involved the use of Phishing or straightforward techniques, but the cybercrime scene has changed drastically in recent years. Malicious attackers today implement more diverse and complex techniques that magnify the importance of robust application code with minimal vulnerabilities before release.
Static Application Security Testing (SAST) – White Box testing can help analyze both server-side and client-side vulnerabilities with high rates of success. Besides the usual web/mobile application code, SAST solutions can be applied to code in also in embedded systems and other locations.
Most SAST solutions are fully compatible with leading industry standards such as:
- The aforementioned OWASP Top-10 and SANS Top 25 security standards.
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Motor Industry Software Reliability Association (MISRA)
Dynamic Application Security Testing (DAST) – DAST security tools analyze only requests and responses. This basically means that hidden vulnerabilities such as design issues are simply not detected. Also, DAST is incapable of locating numerous non-reflective vulnerabilities (i.e – Cross-Site Scripting) that don’t generate feedback when triggered.
Scanning and testing small projects are typically straightforward and don’t require too much flexibility from the security solution. But today’s reality involves large projects with thousands of LOCs (lines of code). These organizations have tens or even hundreds of developer teams working on building the application.
The problem with large projects is the huge numbers of False Positives (FP). Organizations implementing inaccurate security tools have to hire personnel to take care of the issue, before remediation processes are initiated. This can cause huge delays in product releases and be very cost/resource heavy.
Static Application Security Testing (SAST) – Big software organizations worldwide are gravitating towards CICD, Agile and DevOps setups. SAST solutions have all the characteristics to blend into these Software Life Cycle’s. Code can be scanned fast, vulnerabilities are located accurately and untouched code doesn’t have to be re-scanned.
Dynamic Application Security Testing (DAST) – While DAST tools provide risk analysis and assist in the remediation efforts, developers don’t really know where exactly the vulnerabilities are located, not do they always now what countermeasures to implement. DAST methodology reporting is less than satisfactory in numerous instances.
Another disadvantage of fixing security issues after the application is up and running is the challenge faced by the developers. The teams accountable for the code have to re-visit and re-familiarize themselves with the code before fixing it. This is a time consuming process, which can become even more complicated when new workers have been hired.
RETURN OF INVESTMENT (ROI).
Comparing the “value for money” factor of the two methodologies.
Another important aspect is the investment required by the organization. Developing web and mobile applications can turn out to be quite a cost and resource heavy project, often causing a dip in the investment on the security front. This is not a recommended this to do, as evident in the infographic below.
Static Application Security Testing (SAST) – As mentioned earlier in the article, White Box testing gets security bugs fixed just like generic bugs, even before the application code is compiled. This, along with the wide programming language and framework coverage, makes SAST a capable security solution that reduces mitigation times and costs significantly.
Another benefit SAST solutions have over DAST tools is the ability to pinpoint where exactly the vulnerabilities are located. While Black Box testing helps detect vulnerabilities, developers have to still figure out which LOCs have to fixed and this process can be time-consuming and eventually cost the organization a lot of money.
Dynamic Application Security Testing (DAST) – In addition to DAST’s limitations when it comes to locating vulnerabilities early in the SDLC, every change in the code also requires a new scan, something that can become a cumbersome process while developing large projects (many KLOCs). This significantly hampers the remediation process.
Simply put, the ultimate advantage organizations have over hackers and malicious attackers is the access to its application source code. White Box testing (SAST/Static Code Analysis) makes use of this very advantage to eliminate application layer vulnerabilities, rather than just emulating hackers like done in the DAST methodology.
The consensus is implementing the White Box testing along with Black Box testing at the end of the development process. This is by far the ideal solution, endorsed even by Gartner.
“We believe that the ability to test an application both statically and dynamically will become increasingly important,” American IT research and advisory firm Gartner mentioned on its blog. “Some vulnerabilities can be found only with SAST testing, others with DAST. Testing in both ways yields the most comprehensive testing.”
But as mentioned earlier in the article, organizations need a security solution that provides wide vulnerability coverage and is capable of detecting vulnerabilities early. While DAST doesn’t require the source/application code, it cannot answer the basic need to work from the coding stage in the development process, nor is it optimal for automating security.
White Box scanning solutions, such as Source Code Analysis (SCA), enable organizations to gravitate towards the automation of the security process and help them create a secure SDLC. This enables quick and accurate fixing of flaws and vulnerabilities, complimented by the constant improvement of code integrity and security awareness amongst developers.
SAST is becoming the go-to option due to the growing needs of the new development era.
“SAST for security vulnerabilities should be a mandatory requirement for all IT organizations that develop or procure applications.” Gartner summarizes its take on web and mobile application security. “Ideally, application vulnerability detection would be conducted continuously during the entire software life cycle (SLC).”
To read more about the various AppSec solutions: THE DEFENDERS TOOLBOX