Building secure apps starts in the development life cycle. During this time, it’s important to run static application security testing (SAST) and dynamic application security testing (DAST). When leveraged together, they provide a more comprehensive view of an application’s risk posture and cyber resilience.
We recently hosted an AppSec-specific webinar, The Synergies with SAST and DAST, with Fortify product experts Rick Smith and Jimmy Rabon. They discussed how testing using both ways yields the most complete view of the risk posed by weaknesses and vulnerabilities within the application. They also covered the following topics:
- What is SAST?
- What is DAST?
- The pros and cons of both SAST and DAST
- Five reasons for SAST + DAST
While we answered as many audience questions as time allowed, many questions went unanswered, so we are addressing them here.
Are false positives possible when using SAST in the IDE and can we override if the developer wants to?
With SAST, there are always possibilities for false positives. But with Fortify products, you can suppress issues, set filters, and use other features to provide actionable results at every stage of testing.
What about interactive app security testing (IAST)? Does it have a role in a secure SDLC? How does it compare to SAST and DAST?
IAST can have a role in a Secure SDLC. WebInspect Agent supports IAST abilities by integrating dynamic and runtime analysis to find more vulnerabilities and fix them faster. WebInspect Agent crawls more of an application to expand the coverage of the attack surface (hidden directories and pages, OATH authentication, unused parameters backdoor, privacy violation) and detect new types of vulnerabilities that can go undetected by black-box security testing technologies. IAST follows what functional tests have already entered in the application.
IAST only looks inside the application and its functionality. It does not cover every flaw type or the entire code base. As a result, IAST is relatively faster than SAST. But it doesn’t provide nearly the same coverage. Also, because IAST is fairly new, it only understands major programming languages.
What is the reporting in Static Code Analyzer (SCA) SAST like? Is it in PDF format if I were to run a standalone SCA deployment?
The reporting from SCA is found in Fortify Software Security Center, a centralized management repository. It provides visibility into an organization’s entire application security program to help resolve security vulnerabilities across the software portfolio, including SCA.
How can we deal with false positives in SAST if we automate the tool?
To layer context automatically at scale for static analysis issues, Fortify provides issue templates that use a concept of filter groups where you can move issues from one folder to another. You could also hide issues that you don’t plan to address or that are contextually irrelevant. Those issue templates can be applied enterprise-wide and shared across applications for filtering. If you know you’re not going to flag a certain class of code or issue, you can create a filter in the UI that says: “we’re not interested in those types of vulnerabilities.”
What other tools should I use in conjunction with DAST to build a more robust AppSec program?
Software composition analysis, also known as open source security scanning (the known-vulnerability space), makes the most sense. It can run during the same step as SAST. The problem is that it doesn’t understand your actual code. It fingerprints your dependencies and then pulls a database of issues that are known for those particular vulnerabilities. That being said, open source scanning makes the most sense from a workflow perspective.
Where does a web application firewall (WAF) fit into this? Is a WAF SAST, DAST, or neither?
To protect existing vulnerabilities in production applications, a popular practice is to monitor the network traffic and try to interpret what is happening within the application using tools such as WAFs. These approaches excel at detecting network-based attacks, such as a distributed denial of service (DDoS) and can sometimes see first-order SQL injections. However, they fall short at detecting more sophisticated application-based attacks.
Do you have a product that monitors an application while running—such as a web application security monitor?
Another defense for applications in production is runtime application self-protection (RASP). Fortify’s Application Defender offers runtime application self-protection. It monitors and protects applications in production against common attacks and vulnerabilities in real time.
Do you have free scaled-down SAST and DAST products?
Check out our free Fortify on Demand trial. It gives you full access to Fortify on Demand for 15 days with no credit card required. Every scan includes expert manual review and all accounts are supported by a dedicated team.
View the full webinar here: The Synergies of SAST and DAST.
Have technical questions about Fortify? Visit the Fortify Community. Keep up with the latest Tips & Info about Fortify. We’d love to hear your thoughts on this blog. Comment below. Or go to the Fortify Users Discussion Board to start a conversation.