At the highest level, application testing can be broken down into two types: static and dynamic. Static testing focuses on reviewing an application’s source code to identify any vulnerabilities before releasing the product. Dynamic testing instead analyzes the application once it has been compiled and is already functional. Each has its advantages and disadvantages, and a combination of both can provide for much higher security than just one.
Static Application Security Testing (SAST)
Static application security testing, or SAST employs manual and automated techniques to review the source code of an application and catch vulnerabilities early. SAST is usually more comprehensive than DAST, letting the tester look under the application’s hood. Typically, this testing involves combing through all of the files used in the application and looking for vulnerable functions used throughout the application. After identifying these vulnerable functions, the next step is finding more secure alternatives.
This will also help identify any code areas vulnerable to poor coding practice. An example would be looking for any areas where user input is passed into a SQL query. These are extremely prone to exploitation if care is not taken to secure the code area, even if no inherent vulnerabilities exist in the used functions. These identified areas can then modify the code to meet higher security standards. In the SQL query example, this would typically involve escaping any malicious user input.
SAST will also look for potentially sensitive hard-coded values. If an attacker can get access to that information, it could be devastating. Many times, credentials for various integrations will be poorly implemented in the code base. Compromise of this information will then lead to compromise of the integrated service. A better practice would be to use configuration files, either hosted in the cloud or locally, and refer to those for any sensitive data.
Dynamic Application Security Testing (DAST)
Dynamic application security testing, or DAST involves testing an application at run time once it has been compiled. Similarly to SAST, this type of testing aims to identify any potential security flaws in the application. Unlike SAST, this is done by actively exploiting the vulnerable code, much like many attackers would have to do for an application on the internet. This will typically involve a mix of automated and manual testing to see if there are any vulnerable spots.
DAST tools will rapidly scan the entire application and map potential weak spots. This can provide the tester with a plan before they go in and begin attacking the application. Doing this saves a lot of time compared to manually combing over the entire application to identify any areas of concern. Common techniques based on the affected area can then attack potential weak points. For example, if a login panel is identified, SQL injection is one of the first attacks many testers would try.
When doing DAST, there is a bit more trial and error. There is no way of seeing the back-end code, so it takes some more work to craft an attack. Staying on the SQL injection example, crafting a working payload will be much easier if the tester can see exactly what is being processed. It can take some time to generate a working proof-of-concept attack for a vulnerability, but it has the advantage of showing exactly how severe the impact is.
Another great advantage of DAST over SAST is that it can test how different areas of the application work together. Certain parts of the application may be completely secure on their own but can have vulnerabilities that get introduced by abusing the functionality of another area of the application. An example of this could be race conditions. This is when two different parts of an application access the same resource simultaneously. If there is no validation to ensure that the data has not already been modified, the user’s efforts can be overwritten, and the integrity of the data can not be verified.
Perform Your Application Testing With Blue Goat Cyber
SAST and DAST each have their own advantages and disadvantages, but they work best when used together. This provides the highest level of comprehensive security for your product. Our team at Blue Goat can help you achieve these security goals. We can perform both types of application testing for your product and help prevent attacks before they happen. Contact us to schedule a consultation.