Dynamic Application Security Testing (DAST) solutions test applications from the “outside in” to detect security vulnerabilities. In contrast, Static Application Security Testing (SAST) solutions test applications from the “inside out” by looking a source code, byte code or binaries.
Both approaches have their pros and cons and, until recently, the market for these tools has evolved separately with different vendors and solutions. Even when a single vendor offers both DAST and SAST solutions, they have not historically been integrated.
In the latest research for clients – Gartner Magic Quadrant for Dynamic Application Security Testing – one of the criteria we looked at was whether or not the vendor’s solution provided Interactive Application Security Testing (IAST). Specifically, we are looking for ways that application security testing solutions combine dynamic and static techniques to improve the overall quality of the testing results. The information gathered by this instrumentation agent gives the hybrid solution an inside-out view that complements the outside-in view of a purely DAST solution — for example, identifying the specific line of code where a security vulnerability occurred, or providing detailed visibility into code coverage. There are a couple of ways that Dynamic and Static testing techniques can be integrated and made to be interactive:
1) The web application platform (IIS, Apache, or other) can be instrumented to observe the application as it is being tested dynamically.
2) The web application can be instrumented via injected code (.NET, Java, or other) so that it can be observed during dynamic testing
3) The output of a static code/binary analysis could be used to create and “tune” the dynamic test that is subsequently performed.
4) The results of observing an application under dynamic test or in use could be used to modify the dynamic test that is being performed in real time. In this way, the dynamic test can be made much more “intelligent” in how it tests an application. This is exactly the approach used by Quotium – a vendor we wrote up in 2011 as a Gartner Cool Vendor.
Multiple DAST solutions now provide IAST capabilities. Some of the vendors evolving their offerings in this direction and offering IAST include Acunetix, HP, IBM, NTO, Parasoft and Quotium. However, most IAST solutions also requires that an agent be deployed on the application platform, which relegates the technique largely to QA and also requires that the vendor explicitly support the platform or language being instrumented (such as PHP, Java or .NET/ASP).
Look for IAST capabilities in your next evaluation of Dynamic Application Security Testing solutions.