Building Blocks of AppSec Testing Exploring SAST, DAST, and IAST/RASP

One in five data breaches is caused by software vulnerabilities according to the Verizon Data Breach Report 2019. These vulnerabilities can lead to data breaches and ransomware attacks, apart from the expensive remediation work to fix the vulnerabilities. Implementing a strong software assurance program can help in mitigating these risks and ensure secure code gets deployed into production environments.

Introducing SAST, DAST, and IAST/RASP

Multiple methods of application security testing exist e.g. static, dynamic, and interactive application security testing. Each of them comes with their pros and cons.

Static Application Security Testing (SAST)

Static application security testing inspects the source code of an application to detect code patterns corresponding to known vulnerabilities. This form of “white box” testing enables vulnerabilities to be detected early in the Software Development Life Cycle (SDLC) as the product is being built.

Integrating Software Composition Analysis (SCA) into the SAST scan cycle can help in identifying vulnerabilities associated with open source components and minimize the risk of zero-day vulnerabilities creeping into code.

Advantages:

• Early vulnerability detection. SAST tools can be run while the application is being built, allowing for vulnerability detection early in the SDLC.
• Easily automated. SAST scanners can be integrated into DevOps CI/CD workflows, enabling automated scanning.
• Developer friendly. Developers can scan results in real-time with access to recommendations for code remediation.

Disadvantages:

• Cannot scan through binaries. Source code is required.
• No understanding of program flow. SAST analyzes the program code statically, so it does not understand the context of program logic at run time.
• Misses dependency vulnerabilities. Since SAST only examines the code, any external dependencies are only scanned if the corresponding source code is available and explicitly included.
• Language-specific. Since SAST analyzes application source code, SAST scanners are specific to a particular programming language.
• High false positives.

Dynamic Application Security Testing (DAST)

Dynamic application security testing (DAST) takes a “black box” approach to vulnerability testing. The response of a running application is checked for malicious requests, and of application is checked for successful exploitation.

DAST scans can be run as soon as the application is deployed, end points are testable, and UI/backend are functioning. DAST has been often viewed as a certification and accreditation step as it comes later in the development cycle.

Advantages:

• No need for source code. Since DAST analysis is performed at runtime, no source code is required.
• Language agnostic. Runtime analysis enables DAST to work on a range of platforms and languages.
• Stress Testing. DAST tools are useful for stress testing, scalability testing and performance testing.
• Realistic attack conditions. DAST tests are closer to an actual exploit compared to SAST tools

Disadvantages:

• Late vulnerability detection. Since code must be available in a deployable state to be analyzed, DAST detects vulnerabilities later in the SDLC.
• Slow. DAST identifies vulnerabilities by bombarding code with attack traffic. This means that a full analysis can be slow.
• Does not identify vulnerability location. DAST does not pinpoint the location of a known vulnerability in the code.
• Domain Expertise: Security knowledge is needed to interpret reports

Interactive Application Security Testing (IAST)

Interactive application security testing (IAST) monitors the internal state of an application at runtime via instrumentation. This enables the detection of vulnerabilities based upon the corresponding impact on a program’s operation. Since IAST tools integrate very well with common CI/CD tools and DevOps practices, they can replace DAST solutions.

Pros:

• High visibility into application internals. IAST uses agents to observe application internals, providing a great deal of visibility.
• Low false positive rate. IAST identifies issues as they occur, meaning that only realistic, exploitable vulnerabilities are reported.
• Continuous detection. IAST analysis while the application is running, providing constant vulnerability detection.
• Vulnerability location identification. IAST’s insight into an application’s internals can help to pinpoint the location of a vulnerability.
• Vulnerable dependency detection. IAST monitors the entire execution state of an application, enabling the identification of vulnerabilities arising from dependencies and libraries.

Cons:

• Language-specific. IAST scanners are language-specific & expensive from a total cost of ownership perspective
• Slight to noticeable performance degradation. Overhead of instrumenting run-time code
• Later in SDLC. IAST analysis occurs after an application is complete, and vulnerabilities are detected later in the SDLC.

Runtime Application Security Testing (RASP)

RASP tools are like IAST tools and deploy an agent within the application. Unlike the IAST tools which focus on detection capabilities, RASP tools monitor the applications for indicators of attack and protect the application against them when it identifies an attack. Some of the more sophisticated RASP tools provide protection beyond the OWAP Top 10 including Account Takeover, Bad Bots & API Abuse.

Developing an Effective Application Security Testing Program

Application security testing is an essential component of an organization’s software assurance program. However, no single tool is a perfect solution. Deploying a combination of SAST, DAST or IAST/RASP tools will help an organization build a unified taxonomy of common vulnerabilities, prioritize remediation work, and ensure a layered approach to security for risk mitigation. Ability of the testing tools to integrate with your CI/CD pipeline and integration with tools like Jira for policy governance should be important considerations.

Integrating your Application Security Testing with secure code training for developers can help enterprises ship secure code with confidence