X
October 20, 2016
Recently, Clark Coleman asked a very logical question about application security tools:
Can you explain the difference between DAST (Dynamic Application Security Testing) and IAST (Interactive Application Security Testing)? To a novice like me, it would seem that you either analyze a program while it is not running (static) or while it is running (dynamic). Logically, (A) and (not A) cover the possible universe with no room for a third category.
The problem, as usual, is naming. What we call DAST means that an application is scanned with HTTP requests in a quest to reveal vulnerabilities based the HTTP responses generated. What we call SAST means analyzing application code. Putting the names aside, these two techniques don't nearly cover the possible universe of ways to analyze an application's security.
I wrote an article in 2014 to explain why the terms "static" and "dynamic" are misleading. I proposed an alternative way to organize your thinking about application security tools.
Instead of thinking of tools as static or dynamic, click here to hop over to DZone and read my guest blog post and learn how to classify them by what information you have available to make decisions.
.jpg)
Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
