SAST, DAST, IAST & RASP..too many acronyms to keep up with? Here is a quick primer that will help you navigate the world of Application Security Testing.
What is Application Security Testing and why is it important?
A huge chunk of cyber threats faced by organizations are a result of malicious actors exploiting known vulnerabilities in the organization's products. These vulnerabilities could have been introduced through bad coding practices or gaps in patch management. This is why ensuring the security of applications at all stages of the Software Development Lifecycle (SDLC) is important.
The good news is that we can prevent a huge percentage of these threat scenarios by integrating Application Security Testing as an element in the Software Development Life Cycle (SDLC). SAST, DAST, IAST & RASP are different way of integrating Application Security Testing into your SDLC.
SAST - Static Application Security Testing
Static Application Security Testing (SAST a.k.a “white box” testing), is where the testing happens from inside; that is the inner workings of an application is tested instead of the functionality. SAST tools analyze the source code and help developers with finding vulnerabilities/flaws in their code, testing the code resilience and fixing the vulnerabilities earlier in the SDLC. Also since SAST can be performed during different points of SDLC, it makes it easier for the developer to identify the root cause of the flaw within the code at a much faster pace.
Deploying SAST tools can be challenging. Also if your web application supports Dynamic languages, it becomes difficult for the SAST tools to semantically understand the code and its order.
DAST - Dynamic Application Security Testing
Dynamic Application Security Testing (DASTa.k.a “black box” testing), is the approach where testing is done to find the security vulnerabilities in a live Web Application from the 'outside in'. DAST tools are used towards the end of a SDLC and can help with finding out run-time and environment related issues. The testing methodology implements using fault injection techniques like SQL injection, Cross-Site Scripting etc to feed malicious data to the application to determine the behavior of the application after a valid user logs in and identify the security vulnerabilities specific to run-time. This approach checks for the authentication and server configuration issues, tests for business logic misconfigurations(verifying access permissions), tries breaking the encryption algorithms from outside, identifying third party component vulnerabilities etc.
The downside of DAST tools is the need for an expert’s presence while testing the application. An expert who has a good understanding of the particular application, can simulate an attack exploiting the particular vulnerability and provide a comprehensive test report identifying all flaws and reducing false positives. Also since DAST tools can be tested only on running applications, it cannot be used in the earlier stages of SDLC like SAST making the remediation costlier.
IAST - Interactive Application Security Testing
Interactive Application Security Testing (IAST) is a featured combination of SAST and DAST tools. They provided the advantage of having both static and dynamic views of an application allowing the users to see and test the source code and also take a dynamic web scanner approach to view the execution of the application in runtime. IAST tools checks for the entire code, system configuration data, web components, HTTP requests and responses, frameworks, libraries, and also backend connection information.
The IAST tools address most of the flaws faced by SAST and IAST tools and have great advantages which include flexibility, coverage, CI/CD integrations, greater accuracy on the testing results etc. IAST works with including agents/sensors within an application, which analyzes the application in real-time, development, QA or even in production. IAST tools help in finding the potential weakness earlier, further helping the organizations in minimizing costs and delays and delivering a more secure application. However some things to keep in my while leveraging IAST tools are:-
Zero day issues can’t be caught
Limited language support
Most tools are proprietary, making the user reliant on the supplier's support
IAST tools can slow down the operational performance of the application
RASP - Runtime Application Self Protection
Runtime Application Self Protection(RASP) tools provide protection for an application in runtime by analyzing the traffic and the user’s behavior to detect any malicious activity. It is an evolution of SAST, DAST and IAST.
RASP tools issue alerts, block the execution of the malicious code, and also patches the application by itself to block similar attacks by analyzing its own behavior. RASP helps close the security gap between application security testing and network perimeter controls to block the attacks by providing code level visibility of the application beyond the capabilities of a Web Application Firewall (WAF). It covers a wide range of vulnerabilities and also supports many languages and platforms. However RASP tools :-
can be only used in production/run-time of an application.
can slow down the application’s performance
can miss the vulnerability and the issue can go unnoticed and be left unfixed.