To SAST, or to DAST, That is the Question
While implementing secure coding guidelines, enforcing strict code review processes, providing our developers the necessary training, etc. are all extremely important, we want to discuss the benefits and differences between static code analysis and dynamic application testing.
All too often the purpose and benefits of static code analysis (static application security testing - SAST) and dynamic application testing (dynamic application security testing - DAST), are confused. While they both have their purpose and provide valuable information: they are complementary not interchangeable.
It is important to note, that while automated tools and vulnerability scanners have their purposes and do certain functions well, they have their limitations. In order to get the most out these tools, and catch the majority of vulnerabilities that may exist within your applications, it's important to pair them with highly-qualified and experienced people. Applications with complex logic and workflows are still very difficult to comprehensively review with tools alone.
Let’s dive in. What is static code analysis and what is dynamic application testing? And, how are they different?
Implementing Security Checks Throughout the Software Development Cycle is Crucial
Static Analysis
According to the Open Web Application Security Project (owasp.org), static code analysis, or source code analysis, "commonly refers to the running of static code analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code." In short, static analysis examines the source code in a non-runtime environment for security vulnerabilities or to ensure compliance with certain development standards. Non-runtime analysis can be against raw source code, compiled binaries, or third-party modules.
Static analysis can be highly automated and can occur much earlier in the development process, such as when code is checked into a code repository. The ‘check in’ event can trigger a source code scan and immediately provide feedback to the developer. This allows peer reviews to focus mostly on logic and other critical aspects. Strategically integrating static analysis checks and other security-centric steps (e.g., security design reviews) early in the development process can accelerate future steps, instead of inhibit them.
The major drawback to static analysis tools is first-time-use and false positive analysis tuning. This can be a big hurdle the first time through, but once the tool is tuned and running, it helps educate the developers and accelerate secure software coding practices. The other con to be aware of, is that some coding languages are not yet supported fully and that is critical to understand before selecting a solution.
Static code analysis tools are useful for identifying SQL injection flaws, buffer overflows, vulnerable third-party libraries, etc. However, they're unable to identify issues with complex, dynamic, multi-step functions (i.e., authentication processes).
Dynamic Testing
Dynamic testing evaluates the application in its running state, near or in production, by trying to manipulate the application in order to identify security vulnerabilities. By sending crafted requests to the application, and evaluating and analyzing the responses received, dynamic testing allows us to identify vulnerabilities and application logic flaws.
The key advantage to dynamic analysis is that, if leveraged properly, it can detect an array of issues that may be present in a running application including design flaws, misconfigurations, security vulnerabilities, runtime errors, etc.
A common issue with dynamic testing is that it tends to happen far too late in the development process. The dynamic testing can, and should, be integrated earlier in the development cycle. Leveraging tools such as Selenium and Burp Suite while working through the development phases will provide details on identified flaws much earlier in the process.
Protect Your Applications and Your Sensitive Information
So, Which Is Better?
Both static code analysis and dynamic application testing have their purposes as part of a mature development and application security program. If you are currently only leveraging one or the other, you are probably missing out on valuable information that could be utilized to further secure your applications. If you are using both, but not until the end of the development process, you are likely missing opportunities to more effectively catch and correct issues, while saving time and resources. Through employing more of ‘Shift Left’ strategy, and implementing SAST and DAST early on within the development lifecycle, you gain tangible insight into threats, vulnerabilities, and application flaws earlier on so that can they can be addressed in a timely manner.
With all security tools, ensuring that you have personnel, or partners, that have the expertise to properly perform the assessments, enable the tools, evaluate the results, and implement the corrective actions is crucial. While automated tools can help expedite certain testing steps, there is still no substitute for human expertise.