Quick Review Of Application Security Testing.
When I attend social functions with friends people often ask what I do. I'm never quite sure where to start. "I run a small tech company that helps Java applications run more securely" is probably overkill. "I help keep hackers out of proprietary places" has worked.
But usually, I just default to asking them questions. "How much do you know about computer programming?" or "What field do you work in?" or "Do you know much about writing code?" usually lets me know how much depth I should go into with them.But because you've stumbled upon our blog, I'm assuming that you know something about computer programming and coding, and that you want to know how to make both more secure to outside and inside threats. So I'm going to talk about DAST and SAST for a moment, then expound on why the new kid on the block, IAST, is going to produce better results in a faster time frame helping you get back to what I assume you do best: write good code.
DAST (Dynamic Application Security Testing)
DAST tests application's exposed interfaces for vulnerabilities. It's testing from the outside in. The technology has been around awhile, and it is familiar to most people inside of the application security world. DAST is good at finding externally visible vulnerabilities and makes it easy to confirm by providing the URL. The downside of DAST is its heavy reliance on experts to write tests, making it difficult to scale.
SAST (Static Application Security Testing)
SAST technologies analyze the source code or bytecode to help you find threats inside of your code. If you can prevent vulnerabilities in the code before you launch, you'll have stronger code and a more reliable application. Everyone knows that false positives are an issue, but SAST can show you exactly where to find an issue in the code. Like DAST, SAST requires security experts to properly use the tools.
IAST (Interactive Application Security Testing)
According to the research firm Gartner, "...next-generation modern web and mobile applications require a combination of SAST and DAST techniques...interactive application security testing approaches have emerged that combine static and dynamic techniques to improve testing." And I guess that's the bottom line with IAST: It gets better results. That's probably why Gartner recommends IAST for providing greater testing accuracy. Just imagine if you could eliminate 99% of all false-positive results. See why Gartner positioned Contrast as "A Visionary In The Gartner Magic Quadrant For Application Security Testing." Download the report for free!
Watch a short video to see how IAST works and integrates into the SDLC.
How does IAST work?
The IAST agent instruments your application and does all of the analysis in real time within your application. This could be done in your IDE, your continuous integration environment, in QA, or even in production. By doing the analysis from within the application itself, the agent has access to:
- All the code for the application
- Runtime control and data flow information
- Configuration information
- HTTP requests and responses
- Libraries, frameworks, and other components
- Backend connection information
Access to all this information allows IAST engines to cover more code, produce more accurate results, and verify a broader range of security rules than either SAST or DAST tools. In addition, IAST agents are easy to install and don't require any application security expertise to use. They simply work better.
So the question remains: "Which one is best?" or "Which one should I use?" or, ultimately, "If I can only afford one security application tool, which one do I choose?"
And that's a good question. Give us a call at 888.371.1333 and let's talk it out.
~ Jeff Williams, CTO
Contrast Security Security