DAST vs SAST – Dynamic Application Security Testing vs Static

The New Acunetix V12 Engine


In security testing, much like most things technical there are two very contrary methods, Dynamic Application Security Testing or DAST and Static Application Security Testing or SAST.

Dynamic testing relying on a black-box external approach, attacking the application in its running state as a regular malicious attacker would.

Static testing is more white-box looking at the source-code of the application for potential flaws.

DAST vs SAST - Dynamic Application Security Testing vs Static


Personally, I don’t see them as ‘vs’ each other, but more like they compliment each other – it’s easy to have SAST tests as part of your CI/CD pipeline with tools like Code Climate.

DAST – Dynamic Application Security Testing

There are also pros and cons for each methodology, with DAST you aren’t bound to any particular technology or language – but on the downside, you are also limited to the parts of the application visible to the outside World.

An example of such a tool would be:

Wikto Scanner Download – Web Server Security Tool
Spaghetti Download – Web Application Security Scanner

It’s always good to simulate attacks from the outside with the kind of access a real World attacker would have, but it doesn’t give you full visibility of the potentials flaws in your system.

SAST – Static Application Security Testing

For SAST a big con is the toolset you are using needs to be language and even framework specific, for example tools we’ve mentioned before such as:

Brakeman – Static Analysis Rails Security Scanner
RIPS – Static Source Code Analysis For PHP Vulnerabilities

The upside to this is that you get full oversight of the app, libraries, dependencies and parts not visible to the outside World.

IAST – Interactive Application Security Testing

There is actually a combination of the two, a form of ‘greybox’ testing that combines the DAST approach with the the SAST tooling by installing a sensor into the application itself.

A great example of this is Acunetix AcuSensor which is installed on the back-end and relays information during the DAST testing phase (so it acts as a whitebox DAST component).

You can read more in depth about this subject here:

DAST vs SAST: A Case for Dynamic Application Security Testing

Posted in: Security Software

,


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


2 Responses to DAST vs SAST – Dynamic Application Security Testing vs Static

  1. Defiant December 9, 2017 at 9:56 am #

    “It’s” means “it is”.

    • Darknet December 9, 2017 at 6:24 pm #

      Corrected, thankyou.