In this blog I want to quickly run through what each of these acronyms mean and comparing DAST vs SAST vs IAST, and why from a security perspective you should be using at least one of them.
The easy bit first
In each acronym the AST stands for “Application Security Testing”, which is a good start, as this is the function that they perform. The nuance comes in how they work differently, which is the reason for the first letter.
DAST = Dynamic Application Security Testing
SAST = Static Application Security Testing
IAST = Interactive Application Security Testing
DAST – Dynamic Application Security Testing
A tool that accesses a web application and pretends to be a browser to take a look around your application for security issues. It is common to give the tool a user name and password so that it can look around the more sensitive areas of your application too.
The types of issues that DAST can find are categorised reasonably well in the OWASP top 10 and cover things like “Cross Site Scripting”, or “SQL Injection”. A good scanning tool will also find more subtle errors like insecure cookie handling, out-of-date library use and so on.
Tools range from sophisticated (Invicti and Acunetix which we recommend and sell) to simple, free tools that may scan a Word Press web site for issues with plugins.
- This is only for web applications
- This is also programming language agnostic; it is the behaviour that is examined, not how it is done
- It only examines areas of the application it can access
- When an issue is identified, the programmer must work out what happened to find the line of code
- You can test an application for which you do not have the source code
Read about our 8 best practice steps for effective Vulnerability Lifecycle Management.
SAST – Static Application Security Testing
A tool that looks at the source code for coding issues. Tools that perform this task have been around since programming languages started. I personally remember using “lint” with my C code back in the 80’s.
The early tools just looked for coding errors, in the last 20 years the tools have been extended to also look for security issues. From a good tool you will get both security issues, and general programming issues.
Here you will get things like “variable never assigned a value” or “memory used after being freed” type errors.
- This is language specific (because the code is being examined)
- When an issue is found, the developer is given the line number to look at
- All of the application is looked at, even if it is impossible for a user to get there
IAST – Interactive Application Security Testing
I don’t really like the name, but this is a hybrid of the above two technologies, and offers many advantages.
Typically, you have to install some additional software on the web server that is language specific (PHP, Java etc.) so that it can tie everything together.
When you then run the DAST tool, it interacts with the application, then behind the scenes, with the server component and works out what exactly is running when a problem is found.
This allows the tool to say “You have a X problem in file Y at line Z”. This greatly improves the fix time for the developer and reduces false positives. These tools are also better at finding issues with runtime frameworks.
As the tool is built as server components tied to a front-end DAST tool, it really is a super DAST tool with some SAST characteristics, rather than a complete replacement for both.
Acunetix have supported IAST for some time, and Invicti has recently added it to their platform.
Read more about Staying safe with Risk Based Vulnerability Management.
As you can see, DAST and SAST tools work in different ways and will find different errors. For absolute security I would say you should have both tool types. If you can only afford one, then pick a DAST tool.
Much as IAST is described as a hybrid of DAST and SAST, it is much closer to an improved DAST tool. IAST will still not find everything that a SAST tool would. That leads me to the statement that “if you are picking a DAST tool, then it should have an IAST component”.
So, in short, if you can only afford one tool, then you should pick in the following order:
I am sure all of the SAST vendors will say I am wrong; this is one of those cats’ vs dogs’ conversations, it is about picking the right too for the right job:
- If you have to round up sheep, pick a dog
- Mouse infestation, pick a cat
So back to our subject:
- One security testing tool, pick IAST
- Improve general bugs and errors in your code, pick SAST.
Acunetix has what it takes to manage the security of all your assets with a complete web application security testing solution that can detect over 6,500 vulnerabilities.
Invicti a web vulnerability scanner that makes it easy for security teams to pinpoint critical issues and assess the potential consequences, automatically crawling and scanning all types of legacy and modern web applications.
Where to start?
S4 Applications can help your business review its ability to protect assets and respond to cyber threats.
Use our Cyber Security Maturity Assessment Model to assess your current security posture, attack surface, and existing plans and solutions. In simple terms, where does your security strategy stand? What are your biggest risks? What are your regulatory and compliance obligations? Where should you focus your efforts? What are your aspirations?
S4 Applications can help make vulnerability and threat management a strategic priority in your business, book a consultation and let us know what challenges you want to address.