dast vs sast
TRANSCRIPT
Web Application Security Testing
DAST vs SAST
1
• Will Bechtel, Director, Product Management • January 26, 2012
Web Application Security Testing Static Application Security Testing (SAST)
2
• Manual Review of Source Code • Automated scanning of source code or binaries • Tests without runtime context (no specific user, etc) • Automated tools usually identify and prioritize
vulnerabilities − Range widely in capabilities (simple search to complex evals) − Prioritized by risk − Identify data flows − Provide ability to mark sources as trusted
Web Application Security Testing Dynamic Application Security Testing (DAST)
3
• Automated Scanning and Interactive Testing • Sends attack in request then evaluates response • Tests full application stack as deployed
− Can identify vulnerabilities in web app, host, web server, app server, db server, etc.
• Tests in context of a user • Tests in runtime context
− Includes context that may include authorization that is loaded from a db, etc
Web Application Security Testing SAST
4
• Advantages − Full visibility of security controls in the web application
Not fooled by filters, etc − Can identify logic related vulnerabilities not easily discovered by black box
testing − Accurate with human review – for the application itself – code doesn’t lie − Does not depend on testing potentially unlimited paths
• Drawbacks − High cost of human resources – even with a tool it is very time consuming − Not scalable – Can only thoroughly test a limited number of apps, limited
availability of trained resources − High false positive rate with automated tools − Unable to identify any weaknesses associated with runtime context
Most access control is loaded from a db – no way to evaluate priv escalation Can’t find issues outside code reviewed (web server, app server, etc) Can’t determine if deployed web app is vulnerable (other controls in place like WAF)
Web Application Security Testing Automated Testing
5
• Advantages − Able to identify weaknesses associated with runtime context
Most access control is loaded from a db – can evaluate priv escalation Can find issues outside web app code (web server, app server, etc) Can determine if deployed web app is vulnerable (other controls in place like WAF)
− More cost effective – testing takes less time typically than static analysis and validation.
− Lower false positive rate than SAST • Drawbacks
− Can’t identify logic related issues − Can’t identify weaknesses that are not in testing context − Does not have visibility into security controls in the web application
Can be fooled by filters, etc − Can’t identify some categories such as time bomb or back door inserted by
malicious developer − Can only test a limited number of paths
Web Application Security Testing SAST
6
Challenges • Scope
− What code is included? Third party libraries
− Environment Some tools require buildable environment which can be hard to setup
• Subject Matter Expertise − Best results if performed by someone intimate in development − Hard to gain understand of applications just to perform review
• Some languages are not well supported − PHP, other languages are not well supported – varies by tool
Web Application Security Testing Testing Method Attributes
SAST
7
DAST
• Identifies weaknesses including OWASP top 10
• Requires human to validate
• Identifies weaknesses outside the app code (web server, etc)
• Identifies weaknesses in user or runtime context
• Identifies Logic flaws • Definitive at the application level • Identifies risks not visible to
external testing (time bomb)
Web Application Security Testing DAST
8
• Situations in which DAST is most often used: − Source code for application is not available
May be able to identify issues scanning binary but how do you fix?
− Limited Resources Don’t need resources able to understand software code Testing usually focuses on most common use cases Usually takes less effort
− Limited attack vectors Code is known to be written with strong review and change control
procedures
Web Application Security Testing SAST
9
• Situations in which SAST is most often used: − Web application is a product
Vulnerable products = loss of brand reputation Identification of vulnerability by users is too late
− Source code and expertise is available Best when developers are involved in review Best when integrated into SDLC
− Insider Threat Code may not have been developed under strong review and release
controls or may have been acquired in merger, etc.
Web Application Security Testing Conclusions
10
• Both SAST and DAST testing have important roles • Generalizations (will always have exceptions):
− SAST = more definitive identification at app level/more cost − DAST = better identification full solution/less cost
• DAST can be used to ensure applications are tested on a regular basis and can be a first line of defense
• SAST testing can be used when additional depth of testing is required.
Web Application Security Testing
11
Questions
Web Application Security Testing Resources
12
• SAST – list of static analysis tools − http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal
ysis
• DAST – list of dynamic testing tools − http://projects.webappsec.org/w/page/13246988/Web%20Application%20Sec
urity%20Scanner%20List