When determining the right testing types for your application security (AppSec) program, there are several questions that likely come to mind: What is the difference between the various AppSec tests? What vulnerabilities do the tests uncover? How many testing types do I need to include in my program?
You can answer these questions and form the appropriate mix of security tests for your organization by understanding the capabilities of each assessment.
Consider the pros and cons list below. The list establishes the main function of each security test, then outlines their strengths and weaknesses.
Static Application Security Testing (SAST)
SAST analyzes application code for security vulnerabilities.
Pro: SAST can be integrated into the development pipeline, allowing scans to happen automatically – making it a good fit for DevSecOps. SAST also works on any type of application (web, desktop, mobile, etc.) and covers a broad range of programming languages.
Cons: SAST is unable to find business logic flaws or accurately pinpoint vulnerabilities in third-party components.
Dynamic Application Security Testing (DAST)
DAST analyzes web applications by actively exploiting them at runtime.
Pros: DAST is a commonly used security test because it can run a scan without access to source code, which is a huge win if the development team is not willing to share their code. Additionally, DAST finds flaws and server misconfigurations with high accuracy and is largely independent of programming language.
Cons: DAST only scans web applications, and it cannot find business logic flaws. Running a dynamic scan is also time consuming, so you will want to run the scan overnight.
Software Composition Analysis (SCA)
SCA looks at open source, third-party libraries, for vulnerabilities in all types of applications.
Pros: Integrating SCA into the software delivery lifecycle is simple, and the scans are quick. It is easy to remediate vulnerabilities in open source code by upgrading to a newer component version. SCA is non-threatening to development teams because it is not their code being analyzed.
Cons: You can only find vulnerabilities in third-party components. You cannot find business-logic flaws.
Interactive Application Security Testing (IAST)
IAST hooks an agent into the application or runtime environment.
Pros: The results are fast and accurate, making it suitable for DevSecOps.
Cons: IAST does not cover every flaw type, like Cross-Site Scripting, because IAST only looks inside the application. Also, since IAST is a newer technology, it only understands major programming languages, and the licenses tend to be expensive.
Penetration Testing
A human tester assesses the architecture, components, and code of the application by simulating an attack.
Pros: Penetration testing uses human ingenuity to find ways around security controls. It finds all forms of security issues, including business logic flaws, in every type of application.
Cons: It is time consuming and expensive, and the results are quickly outdated. Also, since penetration testing is conducted in staging or production, it often creates unplanned work for the development team.
After evaluating the various AppSec tests, you have probably noticed that there is not one perfect solution. All of the tests have strengths that could benefit your application, but they also have limitations regarding the specific flaws and vulnerabilities they are able to uncover.
To provide the best protection for your applications, it is important to have a strong mix of assessments. Ideally, you would employ all AppSec tests, but the reality is, most organizations have to choose which tests make the most sense based on their release schedule, risk tolerance, and funds. Once you have testing in place, and your AppSec program is maturing, then you can add more security tests to the mix to further secure you applications.
Learn more about AppSec testing types in our recent guide, AppSec Best Practices vs Practicalities: What to Strive for and Where to Start.