Is there any magical technology that will discover all relevant vulnerabilities in my applications?
Unfortunately not. Despite the industry’s efforts to come up with new technologies like IAST or RASP to blend the benefits of SAST and DAST tools and eliminate their shortcomings, there is still a widespread reliance on SAST and DAST tools to secure applications.
The agent dependent structure of IAST and RASP tools is still a turn off for enterprises due to the discomfort of having a 3rd party element monitor their servers and other performance-related issues.
Latest reports demonstrate that the introduction of SAST leads to 50% fewer new production vulnerabilities identified by DAST and 25% improvement in mean time to fix vulnerabilities.
Numbers clearly justify the co-existence of SAST and DAST tools but let’s take a closer look at why this is the case.
While applications are targets of cyber attacks more than ever, in most cases the introduction of SAST into the software development life cycle takes place after that of DAST.
That comes as no surprise as it is more common to act reactive rather than proactive in many areas of life.
By adopting DAST first, companies try to find out which parts of their applications can be exploited by ill-intentioned hackers.
Even though that is a good starting point, they can only get this extremely vital information once the application reaches the test or production stage.
What is worse, they still are unaware of the source of the vulnerability to fix it in the source code. What if they knew about the reasons for the exploitable vulnerabilities instead of the outcome and what if they were able to fix the root cause of the problems before they even emerged?
SAST distinguishes itself from other application security testing technologies by being the only one that makes scans during development possible, which perfectly fits with the trend of discovering and removing vulnerabilities as early as possible.
SAST tools look at the source or binary code and vulnerabilities discovered at the earlier stages enable a cheaper and easier remediation process which is the fundamental idea behind the “Shift Left” concept that urges companies to test their applications throughout the software development process rather than at the end of it.
The “inside out” structure of SAST based on the source code of the application is a better solution to shift left compared to the “outside-in” structure of DAST which scans the running application and mimics the behavior of hackers at the test or production stage.
A SAST only approach is shortsighted as it has difficulty in discovering run-time vulnerabilities and tell anything about the exploitability of a vulnerability.
Exploitability is a killer criteria when it comes to prioritization of vulnerabilities and in the vulnerability management process it always comes down to prioritization given the abundance of vulnerabilities discovered by scanners.
SAST tools partly owe their bad reputation of producing so many false-positive results to this gap between the source code and production environment.
It is a major concern for security teams to have as few false-positive results as possible to be able to keep the spotlight on real threats and SAST tools keep being criticized on that front.
It is also essential to know that SAST methodology is programming language sensitive and not all SAST tools perform equally well in every programming language or framework.
A DAST only approach, on the other hand, provides a much higher confidence level about the exploitability of vulnerabilities.
However, it lacks the remediation capabilities of SAST as it can not tell the root cause of the vulnerability in the source code.
Once reporting the problem, it leaves the solution of the problem to internal teams which often lack the motivation to track down the root cause of the problem.
One other major drawback of a DAST-only approach is, as it runs in the production environment it discovers vulnerabilities after the software development life cycle is complete, which means more resources allocated to fixing the vulnerability.
Due to DAST’s “outside-in” structure, hidden inputs can not be discovered by DAST tools and leads to a lower code coverage compared to SAST. This can be considered as natural due to the source or binary code dependent structure of SAST.
A combined approach using both SAST and DAST tools in tandem can provide much more reliable results and vulnerabilities found by both technologies can be prioritized with peace of mind, as they are much more likely to pose a real threat to the application.
Quick prioritization leads to quick fixes and quick fixes lead to quick releases as desired by every organization.
Instead of testing applications at certain points in the software development life cycle, an end-to-end assurance can only be provided by the adoption of both technologies.
A continuous testing and rectification process that embraces the entire process is made possible through different capabilities of SAST and DAST which allow them to work in different stages of the software development life cycle.
The more these technologies are perceived as complementary, the shorter will be the life of vulnerabilities in the applications.
The drawbacks of adopting only one of the technologies can be avoided and shortcomings of one technology can be compensated by the strong points of the other to shorten the window of exposure of having open vulnerabilities.
In the end, SAST and DAST are two different technologies that serve the same purpose of identifying vulnerabilities to have them removed and they are certainly stronger together than alone.