SAST vs DAST: A VS of the Security Tests

Prelude

A crannied, "White Christmas" record crackling through the howling blizzard outside, a rundown fireplace proliferating its warmth, and a cup of hot chocolate topped with toasted marshmallows would be a perfect Christmas eve. Similar shades of bliss were evident at FireEye, where everything seemed fine and dandy until it wasn't. One seemingly benign alarm threw them on a wild goose chase behind something more catastrophic than ever, something that would eventually shake the foundations of entire nations. Just another seemingly innocuous MFA (Multi-Factor Authentication) error raised concerns when it triggered an alarm on someone trying to register for the same on a new device using credentials previously reported stolen. That was the onset in discovering an intricate web of attacks that later unraveled as the Solarwinds Hack. The Solarwinds hack was exceptionally sophisticated and extensive that the victim count has hit 30,000 and is still counting. If only the security had been more rigorous, more proactive, this situation would have amounted to naught. Several upper strata of the US Government, including the Department of Homeland Security, fell prey to the attack. "The Largest and most sophisticated attack the world has ever seen" were the words of Microsoft's president Brad Smith referring to the Solarwinds Hack. The above crisis only further evinces that the call for security is on an ever high.

A Prologue to SAST and DAST

Over the past years, security has skyrocketed in its eminence, transitioning into the backbone of this cyberized era. Though the concept of security has wedged its way into the current technological landscape, it is yet only inching toward the days of shifting left. Shifting left in the security community refers to accommodating security from the beginning of the software development lifecycle. That is, from before the inception of the source code and beyond. Often mistaken to be a mere fragment of software testing, security testing comprises testing an entity for vulnerabilities and bugs that could potentiate threats into security incidents. Security testing can help avert a crisis way before it could prove disastrous by exposing the probable attack vectors and narrowing the attack surface. Synonymous to its software counterpart, security testing follows similar categorizations: white and black box testing. The two most prominent testing methods are SAST and DAST, with SAST (Static Application Security Testing) being a white box method and DAST (Dynamic Application Security Testing) being a black box method.

Testing the Code VS Testing the App

SAST deals with finding the vulnerabilities and security concerns extant within the source code. DAST deals with runtime application testing. SAST could range anywhere from scanning source code for unintentional password leaks to scanning docker files in a Kubernetes environment for malicious commands. It deals with code examination and analysis to uncover vulnerabilities that an attacker might exploit. All checks and analysis occur before the application runs, while it is still only lines of code involving no dynamic parts. Even though it requires no running application, SAST tools can help identify up to 50% of the vulnerabilities. It also ensures compliance with coding guidelines and best practices. DAST, on the other hand, as hinted at earlier, deals with the application while it is executing. It doesn't necessarily interact directly with the source code but tests the application for any flaws during its runtime. It identifies vulnerabilities by simulating penetration tests and attacks by testing the exposed frameworks and interfaces, including APIs, third-party library calls, etc. It helps identify those vulnerabilities externally visible to anyone (i.e., those visible to an attacker). DAST tools employ external attacks that simulate irregular or malicious operations to discover anomalous application behavior/output that may pose threats by exposing vulnerabilities.

How do they collate in a CI/CD Pipeline?

A CI/CD(Continuous Integration/Continuous Delivery) Pipeline is a practice that involves a defined set of steps that ensure automated software build, test, and deployment, thereby bridging the gap between the development, operation activities, and teams. The CI/CD practice forms the backbone of the modern-day DevOps teams that perform these Continuous integrations, Continuous Delivery, and similar operations. The inception of the "Shifting Security Left" phenomenon has further enhanced the DevOps practices to integrate security through giving rise to DevSecOps. Hence, the SAST and DAST tools have been meshed along with the several build and deployment stages to provide seamless security testing. Static Application Security Testing tools such as Docker bench, Clair, Anchore, etc., help scan Docker images before uploading them onto the server. Also, tools such as Veracode and SonarQube analyze the static code for any vulnerability exposures. On the other end, Dynamic Application Security Testing tools such as Accunetix, HCL AppScan, etc., can be used to scan the application running in realtime. Hence, all these tools could operate as automated steps within the CI/CD pipeline. In general, SAST tools are more effortless in terms of CI/CD Pipeline Integration. One only needs to configure it once and leave it to work its magic. DAST tools, on the other hand, integrate only partly in the pipeline.

Well then, what in the world is IAST?

IAST or Interactive Application Security Testing is a combination of SAST and DAST but on Steroids! IAST is a method of dynamically testing the runtime application by a process called instrumentation where sensors and agents are deployed within the running application to track, analyze and identify vulnerabilities in realtime. Since It operates from within the application attaining a comprehensive awareness of the runtime controls, stack trace, memory buffer, etc., it is beyond capable of zeroing in on the exact source of the vulnerability, revealing even the code requiring correction. The best part of IAST, though? Here is where It shines over DAST, as it is ever-so-simple to integrate into a CI/CD pipeline. Another advantage is the ability to narrow down the source of a vulnerability, owing to an efficient testing mechanism. It also zooms past SAST in the case of dynamically typed languages and application logic errors that may pose a security threat. It is not to say that SAST and DAST aren't good enough since IAST does have its fair share of woes.

Conclusion

Security Testing helps analyze and implement proactive security measures way before a vulnerability could transition into a threat, thereby sparing a company the catastrophic outcome. Implementing the several security testing methodologies discussed above would not guarantee an unhackable application but would provide frontline defense, rendering the time to correct mistakes. Even when these mechanisms are in place, carrying out stringent actions on any flags or alarms is the way to go. Employing SAST and DAST together could go a long way in preventing imminent attacks, providing much-needed space to rectify serious mistakes.

Resources

• https://www.datacenterknowledge.com/security/list-known-solarwinds-breach-victims-grows-do-attack-vectors
• Towards Better utilizing Static Application Security Testing: https://jinqiuyang.github.io/papers/icse-seip-2019.pdf
• DevSecOps - Security and Test Automation: https://www.mitre.org/sites/default/files/publications/pr-19-0769-devsecops_security_test_automation-briefing.pdf