With cybercrime escalating worldwide, application security has become a big challenge for organizations and governments. Penetration (Pen) Testing and Dynamic Application Security Testing (DAST) are capable solutions, but have their fair share of inherited deficiencies. Interactive Application Security Testing (IAST), an upcoming security methodology, is being increasingly compared with Static Application Security Testing (SAST). This article will take a closer look at these two security solutions and compare their functionality.
SAST: Securing the Foundation of the Application
With more and more hackers targeting application layer vulnerabilities, the growing consensus is that security should focus on the foundation of the application – the source code. This is where Static Application Security Testing (SAST) enters the picture, enabling quick and effective scanning of the source code and detecting issues even before the build stage of the development is reached.
Static Code Analysis (SCA), belonging to the Static Application Security Testing (SAST) family, has a numerous benefits. It is an out-of-the-box solution that’s easy to install and requires little to no maintenance. Implementation is made easy with light-weight plugins that sit directly within the developer IDEs, source repositories, build management servers and bug tracking tools.
By opting for SCA, organizations can initiate the security process early in the development stage. The scanning of source code allows the quick detection of SQL injections, Cross-Site Scripting (XSS) and other common vulnerabilities that appear in today’s leading security reference lists such as the OWASP Top-10 and SANS 25. Its also easy to comply with industry specific standards (PCI DSS, HIPAA, etc).
The table above is taken from the SANS 2015 State of Application Security Report, showing how InfoSec professionals from leading organizations worldwide safeguard their applications today. The findings show that creating and implementing a secure SDLC with the security solution built into all stages is more effective than other solutions that don’t have access to the application code.
Interactive Application Security Testing (IAST)
Regarded by many visionaries as the future of application testing, IAST is being talked about more and more in InfoSec circles. In a nutshell, IAST is a combination of SAST and Dynamic Application Security Testing (DAST). But this security solution has still not matured to a point that it can be defined precisely or measured accurately against rivalling solutions.
With how things stand right now, IAST can be best defined as an “innovative hybrid security solution”. The nature of operation is simulating various cyberattacks by sending different types of requests. The innovation lies in the fact that this is a real-time solution that listens from within the application, with the ability to detect non-reflective attacks (i.e – XSS) unlike DAST.
While this solution is unique in its ability to provide real-time analysis of attacks, its effectiveness fluctuates according to the quality of the instrumentation. Instrumentation agents are not easy to deploy accurately and typically cause issues with stability, performance and management. These technical issues are further complicated in large-scale infrastructures.
Interactive Application Security Testing (IAST). Source: Elsane/Gimp
SAST vs IAST: 5 Reasons to Opt for SAST
1 – Wider Coverage
Real-time attack simulations with IAST solutions provide accurate information, assuming all possible permutations have been configured and executed, which is tough to achieve. But even the best-case scenarios they can’t match the performance of SAST solutions, where there is full access to the application code and all data flows are mapped for effective vulnerability detection.
2 – Lesser Overhead
Implementing an IAST solution is much more complicated than the out-of-the-box functionality offered by SAST. IAST requires an agent installation – the planting of agents in various strategic junctions to monitor data and instructions. Inducing all possible attacks becomes hard to achieve. Depending on the “flavor” of the solution, installation and setup can be a complex process with varying levels of accuracy.
SAST requires no instrumentation whatsoever. Testing the application code is as easy as uploading the files, choosing the desired query and hitting the scan button.
3 – Better Platform Compatibility
The modern organization often consists of complex development structures, with different platforms and frameworks. This can complicate the deployment of IAST solutions, requiring the hiring of dedicated personnel to oversee the installation/maintenance and make the necessary configuration changes when the need arises. With Static Code Analysis (SCA), there is no such problem.
4 – Educational/Awareness Value
SAST has the upper hand in this category since it enables the involvement of all developers in the remediation process. The solution is integrated into the developer environment and allows the exporting of the findings for offline scrutiny/analysis, eventually improving the developer’s expertise in secure coding practices. Interactive Application Security Testing offers no such added value.
5 – Doubles as a Quality Assurance (QA) Solution
Thanks to the direct access to the application code, leading SAST solutions have the ability to locate coding flaws and errors. These issues can include cases of dead code and other logic errors that can eventually lead to many performance issues (bugs). This functionality not only helps the QA department, but enables smooth deployment and maintainability of the application.
Application Security Going Ahead
While IAST is proving to be a rising star in the AppSec cosmos, it’s still a hybrid product which has ways to go before it reaches full maturity. Various vendors today are offering this new solution in different configurations with varying levels of success. Until IAST approaches higher product maturity, organizations are better off opting for proven SAST solutions.
American IT research and advisory firm Gartner firmly endorses the early implementation of the security solution into the Software Life Cycle (SLC) with the various SAST solutions – “Move Application Security Testing (AST) earlier into the software development life cycle, and make secure coding and security testing the responsibility of the application development team.”
The SAST vs IAST discussion will probably keep popping up in many organizations, but the best way to approach application security is to combine two or more solutions. This helps create a multi-layered security strategy that detects as many vulnerabilities as possible before the product release, ensuring timely releases and minimizing the need for costly post-release maintenance efforts.
Read more about White Box versus Black Box Testing Solutions.