Both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) share a common goal—finding security vulnerabilities in an application. Both are an important part of a comprehensive application security process, but the perspectives and techniques used by SAST (white box testing) and DAST (black box testing) tools are very different.

It can also be difficult to sort through the results from different tools and make sense of what the true security issues are in your application. Hybrid Analysis Mapping (HAM) provides an efficient way to correlate the results of DAST and SAST tools. This approach allows you to identify the most serious AppSec issues and address them immediately, letting you rapidly prioritize which issues exist in the code, and can be exploited by an outside attacker.

Black box vs. white box testing

DAST tools use an outside-in approach to test an application at runtime to detect the attack surface and probe it for potential vulnerabilities. As a result, DAST tools—and specifically their vulnerability findings—have little information on the internal structure of the application, despite what it learns about the application’s runtime response behavior.

SAST tools, on the other hand, use an inside-out approach, scanning an application’s source code for programming flaws that have the potential for exploitation if exposed as part of the attack surface. SAST tools will have little insight into the runtime behavior of the application.

DAST (Black box testing)SAST (White box testing)
Performed later in the Software Development Lifecycle (SDLC), once the application is in a deployable statePerformed throughout the SDLC before the application is deployable
Outside-in—attacker’s perspectiveInside-out—developers perspective
Goal is to validate the application’s functional requirementsGoal is to validate the internal structure and quality of the application code
Detects vulnerabilities by conducting attacks against a running instance of the application; typically only done with web applicationsDetects potential vulnerabilities by identifying insecure code paths without actually executing the program; supporting both web and desktop applications
Only tests program paths that are actually executedFull code coverage, even code that is never executed
Typically finds less than SAST, but the findings are more preciseReveals a wider range of findings, but many are not exploitable (imprecise); prioritization is difficult
Programming knowledge is not requiredProgramming knowledge is required

 

The above table shows the complementary nature of DAST and SAST techniques for application risk assessment. There is a lot of value in running both types of tools on a code base. However, the results provided by the tools offer little in the way of effective correlation, forcing most SAST and DAST users to analyze the results separately as independent assessment activities.

The benefit of Hybrid Analysis Mapping (HAM)

Hybrid Analysis Mapping, also called Hybrid Application Security Testing (HAST), correlates the results of SAST and DAST tools so the user can see which of the source code weaknesses are actually exploitable from the perspective of an external attacker. However, correlating the results of multiple SAST and DAST tools is not easy.

DAST tools report findings detected for URLs, while SAST tools report findings detected in source code files. Identifying the set of source code files that correspond to a URL can be extremely difficult. Each web framework uses its own approach to structuring its source code elements, which forces a one-to-one mapping approach per web framework.

Secure Decisions was funded by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate (Contract # D14PC00060) to develop a new, more efficient method of conducting HAM that overcomes many of the existing hurdles. The results of this DHS-funded project (entitled Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping) have been transitioned into Code Dx Enterprise.

The HAM solution incorporated into Code Dx overcomes several of the known challenges. DAST to SAST cross-mapping has previously been an inefficient process yielding incomplete results. Some solutions rely solely on trying to map source code to URLs. Others are point solutions that only work within a single vendor’s tool suite, without incorporating the results of multiple SAST and DAST tools.

In addition to these drawbacks, DAST to SAST correlation is hindered by the fact that many AppSec tools, especially open-source tools, don’t conform to security standards such as Common Weakness Enumeration (CWE) or Software Fault Patterns (SFP).  This limits the ability to cross-map the output of DAST and SAST using security standards as a common denominator.

Merged findings increase efficiency and accuracy

The Code Dx HAM solution correlates results from a variety of open-source and commercial DAST and SAST tools, using techniques beyond just CWE and SFP to produce a set of merged findings. It is designed to improve the analysis speed, accuracy, and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques.

Version 2.0 of Code Dx completed a critical step in the HAM process: adding support for consuming and de-duplicating the results of DAST tools. We then instrumented an application under test using Interactive Application Security Testing (IAST) techniques to provide code-level details to DAST findings. IAST tools combine DAST and SAST tools, using instrumentation technology to leverage information inside the application while it is running to find vulnerabilities.

Now, with version 3.0 of Code Dx Enterprise, you can automatically correlate the SAST and DAST results to show the attack surface of the code—that is, what parts of the code are accessible to a potential attacker using dynamic penetration tools. Full support of Static and Dynamic Hybrid Analysis is here.

The Code Dx Hybrid Analysis capability combines inside-out and outside-in approaches, identifying the vulnerabilities that both exist in the code and are also shown to be exploitable. This feature allows developers and AppSec professionals to immediately confirm whether a potential weakness is, in fact, a true and genuine threat.

Supported Hybrid Analysis tools

Code Dx Enterprise supports and integrates with more than 40 commercial and open-source SAST, DAST, and IAST tools and techniques, providing comprehensive application vulnerability and correlation management.

Supported  DAST and IAST tools include:

  • Acunetix
  • Arachni
  • BurpSuite Professional
  • Cigital
  • Contrast Security
  • Micro Focus
  • Nessus
  • Netsparker
  • OWASP ZAP
  • Rapid7

Supported SAST tools include (but are not limited to):

  • Checkmarx
  • Checkstyle
  • ESLint
  • IBM AppScan
  • Jlint
  • Microsoft FxCop
  • NowSecure
  • Synopsys
  • Veracode
  • White Hat Security

Stay tuned for additional updates to Code Dx Enterprise, so you can get the most out of your application security tools and techniques.