The number of acronyms to keep track of today continues to grow at a rapid pace, especially in the technology industry.  For software developers and security testers, SAST and DAST are two commonly used acronyms, but are often misunderstood.

Understanding Static Application Security Testing (SAST)

Static Application Security Testing (SAST) tools are used early in the software development process to test the application from the inside out (white box testing tools) and do not require a running system to perform the evaluations.  These tools test the source code, the byte code or the binaries line by line to expose weaknesses in the software before it is deployed.  By detecting the flaws in the code early in the process, weaknesses can be fixed before hackers detect them and they become true vulnerabilities for an organization.

SAST solutions present a fair share of challenges.  They tend to be complex, difficult to use and don’t work well together; and they also require access to the source code, byte code or binaries, which some organizations or individuals may be apprehensive to give up to application testers.  SAST tools are also not able to identify vulnerabilities outside the application’s code, such as those defects that might be found in third-party interfaces.  Furthermore, each SAST tool tends to only focus on a subset of potential weaknesses.  A benchmarking study by the National Security Agency (NSA) Center for Assured Software found that the average SAST tool covers only 8 of 13 weakness classes and finds only 22% of the flaws in each weakness class.  Based on these numbers, the average SAST tool is likely to find only 14% of the vulnerabilities in an application’s code and typically each tool tends to find different classes of weaknesses, resulting in little overlap between the results of different SAST tools.  Therefore, leveraging multiple SAST tools is an industry best practice; but, tends to be costly and a significant drain on overhead.

SAST tools have their time and place.  Ideally, software developers would use multiple SAST tools during the development of an application in order to detect weaknesses before they become security risks for end users.

An Overview of Dynamic Application Security Testing (DAST)

The key difference between SAST and Dynamic Application Security Testing (DAST) is that DAST is done from the outside looking in.  It is a process that takes place while the application is running and it tries to penetrate the application in a variety of ways to identify potential vulnerabilities, including those outside the code and in third-party interfaces.  Source code, byte code and binaries are not required with DAST, and it is easier to use and less expensive than SAST tools.

On the other hand, DAST tools are unable to isolate the exact site of a weakness in the code and have difficulty following coding guidelines.

By providing the outside in perspective, DAST tools can provide valuable insight and are ideal to be used before an application goes live and when source code is not available to be tested.

Minimizing Risks by Combining Application Security Testing Tools

Both types of testing tools come with their advantages and disadvantages and can complement each other – one type being used earlier in the software development process and one later.  For the most comprehensive coverage, multiple SAST and DAST tools should be used to detect potential vulnerabilities.  This combination of SAST and DAST is being referred to as Hybrid Analysis or Hybrid Application Security Testing (HAST) – an approach many penetration testers are leveraging today.

The challenge is when using multiple tools, each produces its reports using different naming conventions and severity ratings, making it difficult to combine and compare the vulnerabilities found by these tools.  Code Dx is the answer to this increasingly common issue experienced by software developers and security testers.  It combines the results of multiple static analysis tools, normalizes those results enabling users to compare them on a common severity scale and shows which weaknesses were found by multiple tools, as opposed to those found only by one.