The Roles of SAST and DAST and Fuzzing in Application Security
Applications have become a major part of our lives. From banking to shopping, nearly all daily tasks these days can be completed on a computer or smartphone. With more applications being built every day, the need for robust Application Security Testing (AST) has never been greater. In this blog post, we'll cover the roles DAST and SAST play in Application Security Testing and discuss how fuzzing fits into it all.
The video below is a great complement to the blog and offers context into how SAST, SCA, DAST, and Fuzzing go about testing and the types of vulnerabilities they are able to discover:
What is SAST?
Static Application Security Testing, or SAST, is a white box method of testing. Static analysis examines an application as it's written, without actually running it. SAST tools can be used to identify security vulnerabilities in the source code itself. Because SAST typically occurs before the software is released, it can be used to prevent vulnerabilities from being introduced during the software development process. Because it is only looking at weaknesses in code, it cannot determine whether a flaw is actually vulnerable, meaning someone will have to comb through all the false positives. For more shortcomings of SAST tools, check out our blog: Challenging ROI Myths Of Static Application Security Testing (SAST)
Similarly, Software Composition Analysis (SCA) looks at open source code. It does not always require access to source code. There are fewer false positives because it is signature-matching known vulnerabilities. Therefore it can be thought of as a reactive solution and one that still doesn’t address the unknown vulnerabilities in your code.
SAST and SCA tools both address vulnerability management, meaning you already know what common weaknesses (CWEs) or common vulnerabilities (CVEs) that can be exploited and then parse through the code to find them. But what about unknown vulnerabilities, the zero days? For that you’ll need another tool.
What is DAST?
Dynamic Applications Security Testing (DAST) is a black-box security testing method that examines applications as they're operating to uncover vulnerabilities that an attacker might exploit. Because they are actively running code, DAST tools monitor and "listen in" on traffic between the client browser and web server when they interact with each other, such as during authentication or when data is submitted by the user.
Interactive Application Security Testing (IAST) is one DAST tool available. It, however, requires that an agent be installed on the client for monitoring purposes -- something that is not always possible. And while IAST provides a code feedback loop, it doesn't help you grow code coverage, leaving you at risk for untested code. Untested code is risky code.
DAST does come with some advantages over SAST:
- It's able to catch bugs introduced after development has been completed
- There's no need to have the source code
- DAST can be automated and run in multiple environments such as a development or client's production environment
- It can detect hard-coded passwords and other security vulnerabilities which are invisible to SAST
Unfortunately, dynamic application security testing does require that the web application under test be publicly accessible by the DAST tools.
Fuzzing: Another Type of Dynamic Application Security Testing
Fuzzing is a type of dynamic, behavior-based analysis. Fuzz testing then, is the next generation of application security testing, which can be used to automatically find bugs. Fuzz testing is also the only dynamic analysis solution that helps reduce the cloud of uncertainty from that untested code because it continues to test even after a vulnerability is found.
The goal of fuzz testing is not necessarily to find specific vulnerabilities, but rather identify conditions which will trigger exceptions and crashes in the target system for further investigation by security professionals. Advanced fuzz testing reduces the likelihood of false positives by providing proof of vulnerabilities meaning that with fuzzing, you can find and fix issues in your software development pipeline before they are released and become security incidents.
SAST vs DAST vs Fuzzing
DAST, SAST, and Fuzz Testing are all useful tools in discovering vulnerabilities that may exist in an application's design or implementation. Determining which one to use is often a case of balancing cost vs value with dynamic application security testing and Fuzzing being more expensive but providing greater insight into potential security issues. A balance between these methods will give you the best ROI for finding software vulnerabilities before hackers do!
For a detailed overview of which ast tool or combination is best for your organization, check out our whitepaper: Good, Better, Best, Software Testing Tools . You'll see a breakdown of static analysis security testing, software composition analysis, and Advanced Fuzz Testing.