Gartner Blog Network

Static or Dynamic Application Security Testing? Both!

by Neil MacDonald  |  January 19, 2011  |  6 Comments

Static application security testing (SAST) can be thought of as testing the application from the inside out – by examining its source code, byte code or application binaries for conditions indicative of a security vulnerability.

Dynamic application security testing (DAST) can be thought of as testing the application from the outside in – by examining the application in its running state and trying to poke it and prod it in unexpected ways in order to discover security vulnerabilities.

At the end of last year, my colleague Joseph Feiman and I completed work evaluating the vendors in the Static Application Security Testing (SAST)market. In this research note available to clients, we evaluated HP/Fortify, IBM, Veracode, Checkmarx, Grammatech, Amorize, Coverity, Klocwork and Parasoft.

Many of these SAST tool vendors also provide dynamic application security testing (DAST) capabilities.

We believe that the ability to test an application both statically and dynamically will become increasingly important. Why? A couple of reasons:

  • Some vulnerabilities can be found only with SAST testing, others with DAST. Testing in both ways yields the most comprehensive testing.
  • Many web applications that would be traditionally scanned with DAST tools also use a significant amount of client-side code in the form of Javascript, Flash, Flex and Silverlight. This code must also be analyzed for security vulnerabilities, typically using static analysis.

There are other reasons, but the net/net is that testing application with only one form of testing tool leaves residual risk Our most critical applications should be tested using both SAST and DAST techniques. The good news is that several vendors offer both forms of testing so the purchase of two separate tools/services isn’t required.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: application-security  applications  

Tags: application-security  application-security-testing-tools  best-practices  defense-in-depth  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Static or Dynamic Application Security Testing? Both!

  1. Andrew says:

    I’m in full agreement that coverage is improved greatly by utilizing DAST and SAST. I’ve seen so many cases where SAST has caught killer problems before release. But is SAST a requirement for all companies who care about security? Probably, but in what cases is it applicable and how much should be invested (in $$’s, resources, level of usage, etc.) to get the proper return on investment? Decision-makers have to execute on whether SAST is applicable, which technology will solve their problem, and most importantly, how deep and how wide their usage will be.

  2. Neil MacDonald says:


    Agree that putting SAST tools into the hands of every developer is not the right approach for every organization – but there are alternative approaches to incorporate SAST solutions – for example
    * at unit build only
    * only for the more critical applications, not all applications
    * consuming SAST as a service from vendors such as Veracode as well as IBM and HP now offering this


  3. Mandeep Khera says:

    I agree that if you have a lot of resources and a huge budget, you should do both. But, most companies have limited resources and are only testing a fraction of their total apps. Most companies would rather get wider coverage of their apps so they can test close to 100% of their apps instead of 5%. They can easily accomplish this through DAST because SAST takes a lot longer in terms of implementation and developer training. Once they go up on the maturity curve, they can bring in SAST to supplement their efforts. So if you have limited resources and want to cover more apps, shouldn’t you do DAST first?

  4. Andre Gironda says:

    @ Mandeep

    I agree that if you have unlimited resources, buying products such as commercial SAST or DAST will help an application security program. But, most companies have limited resources and are only hiring a fraction of the talent they need. Most companies would rather get any coverage of their apps so that they can even start to have an identifiable program that covers 100% of OpenSAMM instead of 5%. They can easily accomplish this through AppSec Consulting Companies because tools take a lot longer in terms of implementation and developer training. Once they have people in the program (instead of nobody around to do anything, or worse, non-qualified people running the show), they can bring in tools to supplement their efforts. So if you have limited resources and want an appsec program, shouldn’t you hire some people first?

  5. Neil MacDonald says:


    First, let me say that performing some application security testing is better than not peforming any testing at all.

    Next, as you point out, most organizations start with either hiring outside application security testing firms or they look at DAST solutions (products or testing as a service providers). On the latter, there are several reasons for this — generally lower rates of false positives, easier for information security to test since they don’t have access to the source code, testing in a running state (usually because these applications are already deployed), don’t require significant SDLC changes and so on.

    However, my point is: Don’t stop there – at least not for your most crtical applications.

    I disagee that the adoption of SAST has to be unreasonably costly or disruptive. As I pointed out a) many DAST providers are evolving to provide SAST of client side code anyway and b) don’t forget the SAST as a service option. Let someone else perform the testing and provide you the results.


  6. How static & dynamic websites have their own importance has been explained in here

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.