With the industrialization of cybercrime and rise in hacking severity, the value of traditional application security techniques is imploding. The Web Application Firewall (WAF), considered as a go-to security solution until not long ago, is currently experiencing a constant erosion in its effectiveness. On the other hand, Static Application Security Testing (SAST) solutions are gaining momentum.
What is WAF all about?
As the name suggests, the Web Application Firewall (WAF) is basically a security barrier (server plugin or cloud-based) that is placed in front of the application for real-time inspection of user requests. This involves the monitoring of website traffic with the option of blocking it when malicious activity is detected, as required by the specific organization.
When properly configured, WAF is capable of locating code injections (SQL/LDAP injections, XSS, etc) and other vulnerabilities. Assuming the tool’s parameters have been configured accurately, attacks can be detected or blocked. All network traffic from the OSI layer upto the application layer can be monitored with WAF.
WAFs can be implemented in two modes – Block mode and Detect mode. In the first mode, threats are blocked in “real-time”, temporary patches are applied and subsequent requests from the same source are all flagged as malicious. The latter is more of a “monitoring” mode where the security staff is alerted every time malicious activity is detected.
Static Application Security Testing (SAST)
SAST has a more direct approach. It focuses on the foundation of the application – the source code. This security solution basically involves the integration of the static code scanning into all stages of the Software Development Life Cycle (SDLC). When even raw chunks of source code can be scanned, the remediation process becomes quick and effective.
The secure SDLC typically involves 6 stages – Analysis, Design, Coding, Testing, Deployment and Maintenance. This kind of scenario is ideally created by embracing Continuous Integration (CICD) or commonly implemented iterative development methodologies such as Agile or DevOps. SAST testing blends in seamlessly into these environments, thanks to its light-weight plugins for IDEs.
A big advantage SAST has over WAF is the ability to pin-point vulnerable junctions in the application code. For example, Source Code Analysis (SCA), from the SAST methodology, allows the developers to significantly speed up the remediation efforts by fixing multiple vulnerabilities with a minimal number of fixes. SAST also doesn’t re-scan unchanged code, resulting in faster testing times.
SAST vs WAF – Why SAST Is The Better Option?
1 – Total Cost of Ownership
SAST solutions can be installed quickly and require little to no maintenance. The code is scanned automatically after each commit as part of the SDLC and results are generated as per the requirements.
But this is not the case with WAF, where dedicated staff has to constantly configure and tweak the tool to make sure it’s producing optimal results. WAF implementation also requires personnel to sort out the FPs and pass on the vulnerabilities to the developers. Remediation issues also may arise when developers are not familiar with application code’s structure and purpose, since it was written long ago.
2 – Better ROI
SAST is the better option when it comes to remediation in the development and build stage. This saves the organization a lot of time, money and resources. This also minimizes the need for post-release patches and security updates. WAF can start working only after the application is up and running. The savings per defect with SAST can amount to thousands of dollars.
3 – False Positives Don’t Affect Performance
While it can be argued which of the two produces more False Positives, SAST has the advantage again. The occasional False Positive while scanning the code during the development or build stages is an issue that can be addressed easily, but this is not the case when WAF does the same. When WAF produces a FP in “real time”, it simply means the user will be blocked and basically can’t use the application.
4 – Educational Advantage and Improvement of Coding Standards
The vulnerability findings of the SAST security solutions can be exported for offline scrutiny and can also double as scrum/review presentations for the developers. When implementing SAST both the development teams and the testing teams become part of the security validation process. This enhances the developer’s coding skills and promotes AppSec awareness.
With WAF the only people involved in the process are the security team. The developers are kept out of the loop and there is no trend of actual improvement in the coding security standards.
5 – Not limited only to web applications
Unlike Web Application Firewalls, SAST solutions are capable of testing more than just web applications. Static Code Analysis is equally effective in scanning real time systems, mobile applications and software on embedded devices. SAST can also be used in Sequential Design Process (Waterfall) environments where chunks of code have to be tested.
While WAFs are no longer capable of being a stand-alone application security solutions, they can definitely still be used as complimentary tools along with the more comprehensive SAST.
But the best way to ensure security is to create safe applications that have been scanned early in the SDLC for vulnerabilities and loopholes. By using SAST, developers can mitigate the issues easily and also improve their coding security standards. Applications with robust code are harder to exploit. This is the direction all organizations should take today.
Gartner has also addressed the SAST vs WAF topic: “At the end of 2018, less than 20% of enterprises will rely only on firewalls or intrusion prevention systems to protect their Web applications.”
What application security setup do you have in your organization right now? Feel free to share your thoughts about SAST vs DAST and comment about the evolving security techniques that are on offer today.