Data is very important for any organization because it drives the business. If an organization loses its data or data is stolen then it ma...
Data is very important for any organization because it drives the business. If an organization loses its data or data is stolen then it may be huge financial or business consequences for that organization. To prevent data loss organizations need to identify vulnerabilities in their applications and mitigate the risks. For that, they are adding application security testing, including SAST(static application security testing) and DAST(dynamic application security testing), to their software development workflow.
SAST and DAST
SAST and DAST are application security testing methodologies used to find security vulnerabilities that can make an application more seucre from outside attacks
SAST:- (Before running the application) It is a white box method of testing. It examines the code to find software flaws and weaknesses such as SQL injection.
DAST:- (At Run time of application) It is a black box method of testing. It examines an application as it's running to find vulnerabilities that an attacker could exploit.
Differences between SAST and DAST
1. SAST is while-box security testing. The tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach.
DAST is black-box security testing. the tester has no knowledge of the technologies or frameworks that the application is built on. This type of testing represents the hacker approach.
2. SAST requires source code or binary without executing the application.
DAST requires a running application to analyze it by executing the application.
3. SAST finds the vulnerabilities earlier in the SDLC. The code scan can be executed as soon as the code is deemed feature-complete.
DAST finds the vulnerabilities towards the end of the SDLC.
4. SAST is less expensive to fix the vulnerabilities because these are found at an early stage of SDLC.
DAST is more expensive to fix vulnerabilities because these are found at end of SDLC. Critical vulnerabilities may be fixed as an emergency release otherwise it can be pushed to the next release cycle.
5. SAST cannot find the run time-related issues whereas DAST can be used to find the Run time-related issues.
COMMENTS