Static application security testing (SAST) can be thought of as testing the application from the inside out – by examining its source code, byte code or application binaries for conditions indicative of a security vulnerability.
Dynamic application security testing (DAST) can be thought of as testing the application from the outside in – by examining the application in its running state and trying to poke it and prod it in unexpected ways in order to discover security vulnerabilities.
At the end of last year, my colleague Joseph Feiman and I completed work evaluating the vendors in the Static Application Security Testing (SAST)market. In this research note available to clients, we evaluated HP/Fortify, IBM, Veracode, Checkmarx, Grammatech, Amorize, Coverity, Klocwork and Parasoft.
Many of these SAST tool vendors also provide dynamic application security testing (DAST) capabilities.
We believe that the ability to test an application both statically and dynamically will become increasingly important. Why? A couple of reasons:
- Some vulnerabilities can be found only with SAST testing, others with DAST. Testing in both ways yields the most comprehensive testing.
There are other reasons, but the net/net is that testing application with only one form of testing tool leaves residual risk Our most critical applications should be tested using both SAST and DAST techniques. The good news is that several vendors offer both forms of testing so the purchase of two separate tools/services isn’t required.