APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

SAST, DAST, and IAST: Why the difference matters

Quick Review Of Application Security Testing

When I attend social functions with friends, people often ask what I do. I'm never quite sure where to start. "I run a small tech company that helps Java applications run more securely" is probably overkill. "I help keep hackers out of proprietary places by seeking out software issues and security flaws with specialized tools" has worked.

But usually, I just default to asking them questions. "How much do you know about software development tools and what developers do?" or "What field do you work in?" or "Do you know much about writing code?" usually lets me know how much depth I should go into with them.

Because you've stumbled upon our blog, I'm assuming that you know something about computer programming, coding tools, and the development process, and that you want to know how to find vulnerabilities in your software so that it’s more secure to outside and inside threats. So I'm going to talk about dynamic application security testing (DAST) and static application security testing (SAST) for a moment, then explain why interactive application security testing (IAST) is an approach that’s going to produce better results in a faster time frame, helping developers meet their primary objective: creating software solution that are secure. 

Let’s take a quick look at SAST vs. DAST vs. IAST in the development/testing process.

DYNAMIC APPLICATION SECURITY TESTING (DAST)

DAST, also known as black box testing, is an approach that tests a running application's exposed interfaces looking for vulnerabilities, and flaws. It's testing from the outside in, which is why it’s referred to as black box testing. The technology and tools have been part of the development process for a while, and are familiar to most people inside the application security world. DAST is good at finding externally visible issues and vulnerabilities, and it makes it easy to confirm by providing the URL. The downside of DAST is its heavy reliance on experts to write tests, making it difficult to scale.

STATIC APPLICATION SECURITY TESTING (SAST)

SAST tools and technologies analyze the source code or bytecode from the inside out, helping developers find issues and flaws inside their code. If you can prevent vulnerabilities in software before you launch, you'll have stronger code and a more reliable application. Everyone knows that false positives are an issue when testing an application, but SAST can show you exactly where to find issues in the code. Like DAST, SAST requires security experts to properly use SAST tools and solutions.

CONTINUOUS VS. SNAPSHOT IN TIME

Because legacy SAST, DAST, and pen testing only provide a snapshot in time, they can’t keep up with today’s agile software development lifecycle processes. Contrast provides a modern approach to application security testing by embedding security expertise in the application itself. This embedded (agent-based), scalable, always on solution fits seamlessly across development and production environments, using Contrast sensors that provide real-time vulnerability and attack telemetry throughout application workflows.

IAST (Interactive Application Security Testing)

According to the research firm Gartner, "...next-generation modern web and mobile applications require a combination of SAST and DAST techniques...interactive application security testing approaches have emerged that combine static and dynamic techniques to improve testing." That's the bottom line with IAST: When we compare SAST vs. DAST, IAST gets better results. That's probably why Gartner recommends IAST and IAST tools for providing greater testing accuracy. Just imagine if you could find vulnerabilities while eliminating 99% of all false-positive results in your software development efforts. See why Gartner positioned Contrast as "A Visionary in the Gartner Magic Quadrant for Application Security Testing."

How does Interactive Application Security Testing (IAST) work?

An IAST agent instruments solutions, performing all of the analysis in real time from within your application. This could be done in your integration development environment (IDE), in QA, or even while running in production. By doing the analysis from within the application itself, the agent has access to:

  • All the code for the application
  • Runtime control and data flow information
  • Configuration information
  • HTTP requests and responses
  • Libraries, frameworks, and other components
  • Backend connection information

Access to all this information allows IAST tools to cover more code, produce more accurate results, and verify a broader range of security rules than either SAST tools or DAST tools on their own. In addition, IAST agents are easy to install and don't require any application security expertise to use. They simply work better. 

 So the question remains: "Which one is best?" or "Which one should I use?" or, ultimately, "If I can only afford one security application tool integrated into our SDLC, which one do I choose?"

To learn more about the advantages of IAST, visit our blog about the 7 Advantages of Interactive Application Security Testing (IAST), or visit our IAST solution page: Contrast Assess.

You can also schedule a demo from a Contrast Assess expert today!

GET DEMO

Most companies build or buy software applications to run their business. Unfortunately, application code exposes critical vulnerabilities to hackers. Contrast solves this complex problem with a bold new secure technology platform that transforms application security by making software self-protecting. Intelligent Contrast agents are injected into the code, instrumenting applications with thousands of smart, agile sensors that detect and correct vulnerabilities before deployment, and protect the software applications in operation. No legacy security tool can protect every application, but a tenacious army of intelligent Contrast sensors can. Because Contrast technology works hand-in-glove with agile and DevOps teams, it transforms every software application in a company’s portfolio from a weak spot into a strong point to decisively repel attacks.

 To learn more about Contrast portfolio of products:  

Fell free to watch a short video to see how IAST works and integrates into the SDLC.

 
 
 
Video Thumbnail
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

SUBSCRIBE TO THE BLOG