Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Static or Dynamic Application Security Testing? Both!

by Neil MacDonald  |  January 19, 2011  |  6 Comments

Static application security testing (SAST) can be thought of as testing the application from the inside out – by examining its source code, byte code or application binaries for conditions indicative of a security vulnerability.

Dynamic application security testing (DAST) can be thought of as testing the application from the outside in – by examining the application in its running state and trying to poke it and prod it in unexpected ways in order to discover security vulnerabilities.

At the end of last year, my colleague Joseph Feiman and I completed work evaluating the vendors in the Static Application Security Testing (SAST)market. In this research note available to clients, we evaluated HP/Fortify, IBM, Veracode, Checkmarx, Grammatech, Amorize, Coverity, Klocwork and Parasoft.

Many of these SAST tool vendors also provide dynamic application security testing (DAST) capabilities.

We believe that the ability to test an application both statically and dynamically will become increasingly important. Why? A couple of reasons:

  • Some vulnerabilities can be found only with SAST testing, others with DAST. Testing in both ways yields the most comprehensive testing.
  • Many web applications that would be traditionally scanned with DAST tools also use a significant amount of client-side code in the form of Javascript, Flash, Flex and Silverlight. This code must also be analyzed for security vulnerabilities, typically using static analysis.

There are other reasons, but the net/net is that testing application with only one form of testing tool leaves residual risk Our most critical applications should be tested using both SAST and DAST techniques. The good news is that several vendors offer both forms of testing so the purchase of two separate tools/services isn’t required.

6 Comments »

Category: Application Security Applications     Tags: , , ,

6 responses so far ↓

  • 1 Andrew   January 20, 2011 at 1:25 pm

    I’m in full agreement that coverage is improved greatly by utilizing DAST and SAST. I’ve seen so many cases where SAST has caught killer problems before release. But is SAST a requirement for all companies who care about security? Probably, but in what cases is it applicable and how much should be invested (in $$’s, resources, level of usage, etc.) to get the proper return on investment? Decision-makers have to execute on whether SAST is applicable, which technology will solve their problem, and most importantly, how deep and how wide their usage will be.

  • 2 Neil MacDonald   January 20, 2011 at 3:53 pm

    Andrew,

    Agree that putting SAST tools into the hands of every developer is not the right approach for every organization – but there are alternative approaches to incorporate SAST solutions – for example
    * at unit build only
    * only for the more critical applications, not all applications
    * consuming SAST as a service from vendors such as Veracode as well as IBM and HP now offering this

    Neil

  • 3 Mandeep Khera   January 21, 2011 at 2:33 pm

    I agree that if you have a lot of resources and a huge budget, you should do both. But, most companies have limited resources and are only testing a fraction of their total apps. Most companies would rather get wider coverage of their apps so they can test close to 100% of their apps instead of 5%. They can easily accomplish this through DAST because SAST takes a lot longer in terms of implementation and developer training. Once they go up on the maturity curve, they can bring in SAST to supplement their efforts. So if you have limited resources and want to cover more apps, shouldn’t you do DAST first?

  • 4 Andre Gironda   January 21, 2011 at 4:43 pm

    @ Mandeep

    I agree that if you have unlimited resources, buying products such as commercial SAST or DAST will help an application security program. But, most companies have limited resources and are only hiring a fraction of the talent they need. Most companies would rather get any coverage of their apps so that they can even start to have an identifiable program that covers 100% of OpenSAMM instead of 5%. They can easily accomplish this through AppSec Consulting Companies because tools take a lot longer in terms of implementation and developer training. Once they have people in the program (instead of nobody around to do anything, or worse, non-qualified people running the show), they can bring in tools to supplement their efforts. So if you have limited resources and want an appsec program, shouldn’t you hire some people first?

  • 5 Neil MacDonald   January 22, 2011 at 10:19 am

    Mandeep,

    First, let me say that performing some application security testing is better than not peforming any testing at all.

    Next, as you point out, most organizations start with either hiring outside application security testing firms or they look at DAST solutions (products or testing as a service providers). On the latter, there are several reasons for this — generally lower rates of false positives, easier for information security to test since they don’t have access to the source code, testing in a running state (usually because these applications are already deployed), don’t require significant SDLC changes and so on.

    However, my point is: Don’t stop there – at least not for your most crtical applications.

    I disagee that the adoption of SAST has to be unreasonably costly or disruptive. As I pointed out a) many DAST providers are evolving to provide SAST of client side code anyway and b) don’t forget the SAST as a service option. Let someone else perform the testing and provide you the results.

    Neil

  • 6 Application Security   January 24, 2011 at 5:01 am

    How static & dynamic websites have their own importance has been explained in here