Static application security testing (SAST) can be thought of as testing the application from the inside out – by examining its source code, byte code or application binaries for conditions indicative of a security vulnerability.
Dynamic application security testing (DAST) can be thought of as testing the application from the outside in – by examining the application in its running state and trying to poke it and prod it in unexpected ways in order to discover security vulnerabilities.
At the end of last year, my colleague Joseph Feiman and I completed work evaluating the vendors in the Static Application Security Testing (SAST)market. In this research note available to clients, we evaluated HP/Fortify, IBM, Veracode, Checkmarx, Grammatech, Amorize, Coverity, Klocwork and Parasoft.
Many of these SAST tool vendors also provide dynamic application security testing (DAST) capabilities.
We believe that the ability to test an application both statically and dynamically will become increasingly important. Why? A couple of reasons:
- Some vulnerabilities can be found only with SAST testing, others with DAST. Testing in both ways yields the most comprehensive testing.
There are other reasons, but the net/net is that testing application with only one form of testing tool leaves residual risk Our most critical applications should be tested using both SAST and DAST techniques. The good news is that several vendors offer both forms of testing so the purchase of two separate tools/services isn’t required.
Read Complimentary Relevant Research
100 Data and Analytics Predictions Through 2021
Over the next few years, data and analytics programs will become even more mission-critical throughout the business and across industries....
View Relevant Webinars
Will the Cloud Save Me Money? Or Am I About to Waste a Lot?
The cloud is often seen as a great way of saving money, but there is an emerging trend of organizations that cannot prove a ROI. We examine...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.