DevOps is a quickly growing practice for companies in almost every market. With the influx of cyber attacks over the past decade, security has slowly crept forward in the SDLC to the point where we’re now hearing the term DevSecOps in developer circles.
To keep things tidy and help developers manage additional security responsibilities, tools for static and dynamic application security testing (SAST and DAST) have made their way into the fray. In this post, we’ll explain what SAST and DAST are, how they fit into developers’ workflows, and when they should be used.
What is application security testing (AST)?
Application security testing (AST) refers to the process of testing code to make sure it is free of vulnerabilities. There are many ways to test code, though static application security testing (SAST) and dynamic application security testing (DAST) are two of the more well-known.
Application security testing has traditionally been a manual (and time-consuming) process, but the growing popularity of DevOps and the risk of insecure code have driven the majority of development teams to automate at least some of the processes. These days, most organizations use a variety of security testing tools to complete AST.
What are SAST and DAST?
Under the AST umbrella, there live two different security testing approaches: static application security testing (SAST) and dynamic application security testing (DAST). Though different, neither is better than the other and the security testing outcome is superior when both are used together to detect security vulnerabilities in web applications and source code.
These are critical tools for successful DevSecOps. Each runs a set of automated tests, and both introduce security at the beginning of the software development lifecycle.
Static application security testing (SAST)
SAST can be used to analyze source code for known vulnerabilities – and is also a type of white box testing. The test will run before your code is deployed, ensuring that developers are alerted to fixes during the development phase. SAST can help remediate situations where your code has a potentially dangerous attribute in a class or unsafe code that can lead to unintended code execution.
Within GitLab, SAST will automatically generate a summary of fixes and unresolved vulnerabilities following every code commit, but before your code is merged to the target branch. Tools that allow SAST reports to sit within the developer’s work interface enable ease of remediation and streamline testing procedures within the development phase.
SAST takes an inside-looking-out approach, looking for security problems that might have been missed during source code development. It is effective when used after development is complete but before the finished project (and any missed security vulnerabilities) is deployed. Lots of developers nowadays integrate SAST testing into their CI/CD pipelines.
Dynamic application security testing (DAST)
DAST, a type of black box testing, analyzes your running web applications or known runtime vulnerabilities. GitLab’s DAST tool runs live attacks on a review app during QA, meaning developers can iterate on new apps and updates earlier and faster.
As with SAST, DAST should auto-run so that the developer doesn’t have to take measures to initiate the test. In other situations, DAST can also be used to continuously monitor live web applications for issues like cross-site scripting or broken authentication flaws. Test results should inform developers of potential vulnerabilities and serve as a catalyst for ongoing updates.
DAST tools help you see your web application through the eyes of a hacker in a deployed environment. It constantly scans for security vulnerabilities during web application runtime, as well as checking the other API or web services that your application connects to. This makes DAST excellent for testing your complete IT environment where your application or web services run.
Test early and often using SAST and DAST
Static and dynamic application security testing are two helpful tools to keep your code secure, but don’t rely on them to handle all of your security needs. It’s still important to do manual code reviews, test high-level behaviors and functionality, conduct database scanning, and ensure that your whole team is operating with a security-first mindset.
Cover image by Mikael Kristenson on Unsplash
“What are static and dynamic application security testing? Learn all about it” – Vanessa Wegner
Click to tweet