Static application security testing (SAST) can be thought of as testing the application from the inside out – by examining its source code, byte code or application binaries for conditions indicative of a security vulnerability.
Dynamic application security testing (DAST) can be thought of as testing the application from the outside in – by examining the application in its running state and trying to poke it and prod it in unexpected ways in order to discover security vulnerabilities.
At the end of last year, my colleague Joseph Feiman and I completed work evaluating the vendors in the Static Application Security Testing (SAST)market. In this research note available to clients, we evaluated HP/Fortify, IBM, Veracode, Checkmarx, Grammatech, Amorize, Coverity, Klocwork and Parasoft.
Many of these SAST tool vendors also provide dynamic application security testing (DAST) capabilities.
We believe that the ability to test an application both statically and dynamically will become increasingly important. Why? A couple of reasons:
- Some vulnerabilities can be found only with SAST testing, others with DAST. Testing in both ways yields the most comprehensive testing.
There are other reasons, but the net/net is that testing application with only one form of testing tool leaves residual risk Our most critical applications should be tested using both SAST and DAST techniques. The good news is that several vendors offer both forms of testing so the purchase of two separate tools/services isn’t required.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.