I would think most would agree that it wouldn’t be too much of a stretch to draw the parallel between security tools and medicines and threats as diseases which brings us to the tried but true analogy of “the medicine is worth the cure”.
While there are many tools and many types of threats, let’s take a look at a few tools, namely SAST, DAST and IAST and how they fit into application security programs.
Static Application Security Testing (SAST)
Static Application Security Testing (SAST) tools use a clear-box testing approach to identify vulnerabilities. A well understood and widely adopted as part of application security programs that came about back in 2006, SAST allows developers and application security teams check source code for vulnerabilities, hence the white-box description.
Developers and Application Security teams use SAST in the earlier stages of SDLC and are typically used during software builds, every time code is checked in, or during a code release.
Most SAST tools rely on rules to identify where in the code issues such as input validation errors, path traversals, injections, race conditions, and many others exist. From there, the issues are reported into ticketing or depending on the company philosophy, can be integrated into SDLC to go as far as stopping builds if issues are found during SAST testing.
SAST Advantages
- Can analyze 100% of the code assuming the tools at hand support all the needed languages
- Can identify vulnerabilities before the applications are published
- Can be automated via integration into SDLC
- Most tools provide fix recommendations
- No agent deployment
- Compliance checkbox
SAST Disadvantages
- Accuracy (false positives and false negatives)
- No visibility into code vulnerabilities at runtime
- Language dependencies
Dynamic Application Security Testing (DAST)
Dynamic Application Security Testing (DAST) tests the application from a functional testing perspective. DAST tools probe the application with numerous attack vectors and identify vulnerabilities based on the responses from the application. DAST was invented in 2001 and similarly to SAST is a well understood part of application security programs. Many compliance standards recommend or require DAST.
DAST Advantages
- No language dependencies
- No agent deployment
- Identification of runtime vulnerabilities
- Compliance checkbox
DAST Disadvantages
- Accuracy (false positives and false negatives)
- Scans can take days or weeks for larger applications
- SDLC integration and automation often impractical because of long scan times
- Lack of visibility to pinpoint the exact location of the vulnerability in the code
- Application coverage
- Reliance on patterns
Interactive Application Security Testing (IAST)
Interactive Application Security Testing (IAST) is a hybrid testing approach that promises to solve the main drawbacks of SAST and DAST by combining the best of both. In other words, IAST tools analyze the source code of the web application while it is running to identify more vulnerabilities with a lower rate of false positives.
IAST tools work inside the application and have visibility into application execution as well as backend components which is something SAST and DAST tools cannot do.
There are two types of IAST approaches:
- Active IAST — this approach involves two components: one that generates attack scenarios and the other one which monitors a running web application’s behavior
- Passive IAST — this approach uses a single component, a sensor which oversees the running web application – this tool does not simulate any attacks
IAST Advantages
- Visibility into the application at runtime and visibility into the source code combined
- Accuracy
- Coverage
- Automation
- Flexibility in integration at various stages of SDLC
- Reliance on rules and patterns
- Most tools provide fix recommendations
IAST Disadvantages
- Agent deployment
- Language dependencies
- Traditional IAST tools rely on patterns and rules like DAST and SAST tools
Conclusion
SAST, DAST, and IAST are great tools that can complement each other however many companies can only allocate resources for fewer tools and need to take “the biggest bang for the buck” philosophy. With that in mind, IAST may just be a way to get the best of both worlds while meeting security and compliance requirements for application development.
K2 IAST Advantage
K2 IAST addresses the typical issues of IAST with the following technical approaches:
- agent architecture that facilitates easy deployment
- minimal resource footprint because K2 does not rely on rules or patterns to identify vulnerabilities
- Integration with K2 RASP to allow to leverage K2’s signatureless approach in testing and production
- Broad language support
- Validation of discovered vulnerabilities via “proof of exploit” probing
- Faster remediation because teams can focus on the exploitable vulnerabilities
- Zero rules or patterns