Integrations: Make Sense of SAST and DAST

0 0 866

As defined by Gartner: “Static application security testing (SAST) is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a non-running state.”SASTandDAST.jpg

SAST (or Static Code Analysis) identifies security vulnerabilities efficiently within application source code. It should be done early in the development lifecycle and continuously used throughout the life of the application so issues can be resolved with less effort and in less time. The technology provides immediate feedback on issues introduced into code during development, offers vulnerability discovery, and enables developers to create more secure software.

Micro Focus Fortify Static Code Analyzer identifies security vulnerabilities in application source code early in the software development lifecycle and provides best practices so developers can code more securely.

On the other hand, dynamic application security testing is a different method used to find application vulnerabilities. According to Gartner’s definition: “Dynamic application security testing (DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST solutions test only the exposed HTTP and HTML interfaces of Web-enabled applications; however, some solutions are designed specifically for non-Web protocol and data malformation (for example, remote procedure call, Session Initiation Protocol [SIP] and so on).”

Dynamic Application Security Testing (DAST) along with Interactive Application Security Testing (IAST - which involves an additional agent residing at scanned servers and giving feedback to DAST sensors) gives the ability to test the dynamic behavior of running web applications and services to identify security vulnerabilities and integrating runtime analysis to expand the attack surface. Thanks to this approach, issues in hidden directories and pages that would go undetected by black-box testing alone can be detected and addressed. Integrating dynamic and runtime analysis allows to find more issues and fix them in a shorter period of time.

Micro Focus WebInspect is the industry-leading Web application security assessment solution designed to thoroughly analyze today’s complex Web applications and Web services for security vulnerabilities.

When used in isolation, static and dynamic testing provide valuable results to understand and address application risks. When used in combination, these methods provide the most accurate assessment of application risks. Benefits of this approach include proving exploitability, showing cause-consequence analysis and removing false-positives. All these benefits assure buy-in of appsec by the masses at every organization.

Fortify not only provides extensive integration capability for Micro Focus WebInspect, it also provides integrations for other leading DAST and vulnerability management vendors. Integrations include Burp, Tenable Nessus, Qualys VM, Rapid7 Nexpose, IBM AppScan, Application Security Inc. AppDetective, White Hat, and Tripwire IP360.

This post is part of Fortify Integrations series, starting with the main post, Integrations: Empowering Dev, Test & Ops with Security. Look for my next post coming soon: Protect the “Untouchables” & Secure the New Hype.

About the Author
Application Security, Penetration Testing, Security
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.