What’s the difference between DAST vs SAST vs IAST?

S4 Applications security testing

In this blog I want to quickly run through what each of these acronyms mean and comparing DAST vs SAST vs IAST, and why from a security perspective you should be using at least one of them.

The easy bit first

In each acronym the AST stands for “Application Security Testing”, which is a good start, as this is the function that they perform. The nuance comes in how they work differently, which is the reason for the first letter.

So:

DAST = Dynamic Application Security Testing

SAST = Static Application Security Testing

IAST = Interactive Application Security Testing

DAST – Dynamic Application Security Testing

A tool that accesses a web application and pretends to be a browser to take a look around your application for security issues. It is common to give the tool a user name and password so that it can look around the more sensitive areas of your application too.

The types of issues that DAST can find are categorised reasonably well in the OWASP top 10 and cover things like “Cross Site Scripting”, or “SQL Injection”. A good scanning tool will also find more subtle errors like insecure cookie handling, out-of-date library use and so on.

Tools range from sophisticated (Netsparker and Acunetix which we recommend and sell) to simple, free tools that may scan a Word Press web site for issues with plugins.

Some notes:

  • This is only for web applications
  • This is also programming language agnostic; it is the behaviour that is examined, not how it is done
  • It only examines areas of the application it can access
  • When an issue is identified, the programmer must work out what happened to find the line of code
  • You can test an application for which you do not have the source code

Read about our 8 best practice steps for effective Vulnerability Lifecycle Management.

SAST – Static Application Security Testing

A tool that looks at the source code for coding issues. Tools that perform this task have been around since programming languages started. I personally remember using “lint” with my C code back in the 80’s.

The early tools just looked for coding errors, in the last 20 years the tools have been extended to also look for security issues. From a good tool you will get both security issues, and general programming issues.

Here you will get things like “variable never assigned a value” or “memory used after being freed” type errors.

Some notes:

  • This is language specific (because the code is being examined)
  • When an issue is found, the developer is given the line number to look at
  • All of the application is looked at, even if it is impossible for a user to get there

IAST – Interactive Application Security Testing

I don’t really like the name, but this is a hybrid of the above two technologies, and offers many advantages.

Typically, you have to install some additional software on the web server that is language specific (PHP, Java etc.) so that it can tie everything together.

When you then run the DAST tool, it interacts with the application, then behind the scenes, with the server component and works out what exactly is running when a problem is found.

This allows the tool to say “You have a X problem in file Y at line Z”. This greatly improves the fix time for the developer and reduces false positives. These tools are also better at finding issues with runtime frameworks.

As the tool is built as server components tied to a front-end DAST tool, it really is a super DAST tool with some SAST characteristics, rather than a complete replacement for both.

Acunetix have supported IAST for some time, and Netsparker has recently added it to their platform.

Read more about Staying safe with Risk Based Vulnerability Management.

Summary

As you can see, DAST and SAST tools work in different ways and will find different errors. For absolute security I would say you should have both tool types. If you can only afford one, then pick a DAST tool.

Much as IAST is described as a hybrid of DAST and SAST, it is much closer to an improved DAST tool. IAST will still not find everything that a SAST tool would. That leads me to the statement that “if you are picking a DAST tool, then it should have an IAST component”.

So, in short, if you can only afford one tool, then you should pick in the following order:

  1. IAST
  2. DAST
  3. SAST

I am sure all of the SAST vendors will say I am wrong; this is one of those cats’ vs dogs’ conversations, it is about picking the right too for the right job:

  • If you have to round up sheep, pick a dog
  • Mouse infestation, pick a cat

So back to our subject:

  • One security testing tool, pick IAST
  • Improve general bugs and errors in your code, pick SAST.

Next steps

If you want to learn more about the vendors that we represent, read more on our vendors page.

S4 Applications helps organisations protect their assets with vulnerability assessment and remediation solutions whether you are an Enterprise, SME or Security consultant.