Application Security With SAST and DAST

Quarterly Security Testing Expert Series - Vol 3/4 2021

Timothy Joseph
Timothy Joseph | September 15, 2021

Frequently Asked Questions (FAQs)

What is Static Application Security Testing (SAST)?

SAST is a developer's approach to testing. It is a type of white-box testing that requires access to the source code to function correctly. SAST can identify various types of security vulnerabilities, including software flaws and weaknesses such as input validation, stack buffer overflows, and SQL injection. SAST does not require a running system to perform assessments and works as an extensible security testing method.

What is Dynamic Application Security Testing (DAST)?

DAST is a hacker approach to testing. It is a type of black-box testing where tests are performed from outside a functioning application. An application or software is validated in its running state when the application has gone into production or entered runtime. Testers follow a hacker's approach to find out different security vulnerabilities missed by other testing techniques.

What is the best SAST tool?
  • SonarQube: Organizations use this tool to own and update code quality and code security.
  • Checkmarx CxSAST: It helps in checking errors in the source code, and also detects issues with security and regulation compliance.
Which tool is used for DAST?
  • ZAP: An open-source DAST scanner that supports scanning with a desktop application and automated scanning via API.
  • Burp Suite: One of the widely used penetration testing tools by security testing teams that perform manual scans.
  • HCL Appscan: Formerly called IBM Security AppScan Standard, this tool is a combination of DAST and SAST that can scan over a million lines of code per hour.

Disclaimer

This publication is for informational purposes only, and nothing contained in it should be considered legal advice. We expressly disclaim any warranty or responsibility for damages arising out of this information and encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.