SlideShare a Scribd company logo

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Cigital
Cigital

High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks. Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack. The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running. Let us guide you through your application security testing journey with more key differences between SAST and DAST:

Software
1 of 1
Download to read offline
Static application security testing (SAST) and dynamic application security testing (DAST) are both methods of testing for security vulnerabilities, but are used very differently. Here are some key differences between the two: Static Application Security Testing (SAST)Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) SASTSAST DASTDAST vs.vs. White box security testingWhite box security testing Black box security testingBlack box security testing Requires source codeRequires source code Requires a running applicationRequires a running application Finds vulnerabilities earlier in the SDLC Finds vulnerabilities earlier in the SDLC Finds vulnerabilities towards the end of the SDLC Finds vulnerabilities towards the end of the SDLC Less expensive to fix vulnerabilities Less expensive to fix vulnerabilities More expensive to fix vulnerabilities More expensive to fix vulnerabilities Runtime and environment- related issues can’t be discovered Runtime and environment- related issues can’t be discovered Runtime and environment- related issues can be discovered Runtime and environment- related issues can be discovered Typically supports all kinds of software Typically supports all kinds of software Typically scans only apps like web applications and web services. Typically scans only apps like web applications and web services. Tester has access to the underlying framework, design, and implementation. Tests the application from the inside-out. The developer approach. Tests the application from the outside-in. The hacker approach. Tester has no knowledge of the technologies or frameworks that the application is built on. Doesn’t require a deployed application. Analyzes source code or binaries without executing the application. Analyzes software by executing it. Doesn’t require source code or binaries. The scan can be executed as soon as code is deemed feature-complete. Vulnerabilities can be discovered after the development cycle is complete. Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to get the vulnerability remediated. Findings can often be fixed before the code enters the QA cycle. Since vulnerabilities are found towards the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. Since the tool scans static code, runtime vulnerabilities can’t be discovered. Since the tool uses dynamic analysis on an application, it is able to find runtime vulnerabilities. Examples include web applications, web services, and thick clients. DAST is not useful for other types of software. SAST and DAST techniques complement each other. Both need to be carried out for comprehensive testing. To learn how to create a comprehensive application security testing program, visit www.cigital.com.

Recommended

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 

Recommended

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsSpv Reddy
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
The Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step GuideThe Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step GuideDev Software
 

More Related Content

What's hot

DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 

What's hot (20)

DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application Security
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 

Similar to SAST vs. DAST: What’s the Best Method For Application Security Testing?

Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
The Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step GuideThe Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step GuideDev Software
 
How to Use Static Application Security Testing for Web Applications
How to Use Static Application Security Testing for Web ApplicationsHow to Use Static Application Security Testing for Web Applications
How to Use Static Application Security Testing for Web ApplicationsDev Software
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...IJNSA Journal
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycleEnov8
 
Automated pentesting vs dynamic application security testing (dast) (2)
Automated pentesting vs dynamic application security testing (dast) (2)Automated pentesting vs dynamic application security testing (dast) (2)
Automated pentesting vs dynamic application security testing (dast) (2)Prancer Io
 
Automated Pentesting vs Dynamic Application Security Testing
Automated Pentesting vs Dynamic Application Security TestingAutomated Pentesting vs Dynamic Application Security Testing
Automated Pentesting vs Dynamic Application Security TestingPrancer Io
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolCheckmarx
 

Similar to SAST vs. DAST: What’s the Best Method For Application Security Testing? (20)

Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
The Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step GuideThe Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step Guide
 
How to Use Static Application Security Testing for Web Applications
How to Use Static Application Security Testing for Web ApplicationsHow to Use Static Application Security Testing for Web Applications
How to Use Static Application Security Testing for Web Applications
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
 
Automated pentesting vs dynamic application security testing (dast) (2)
Automated pentesting vs dynamic application security testing (dast) (2)Automated pentesting vs dynamic application security testing (dast) (2)
Automated pentesting vs dynamic application security testing (dast) (2)
 
Automated Pentesting vs Dynamic Application Security Testing
Automated Pentesting vs Dynamic Application Security TestingAutomated Pentesting vs Dynamic Application Security Testing
Automated Pentesting vs Dynamic Application Security Testing
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
CODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHFCODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHF
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 

More from Cigital

7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for YouCigital
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game SecurityCigital
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCigital
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The NumbersCigital
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelCigital
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams Cigital
 
How to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsHow to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsCigital
 

More from Cigital (20)

7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for You
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game Security
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass Houses
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The Numbers
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
 
How to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsHow to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security Flaws
 

Recently uploaded

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 

Recently uploaded (20)

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 

SAST vs. DAST: What’s the Best Method For Application Security Testing?

  • 1. Static application security testing (SAST) and dynamic application security testing (DAST) are both methods of testing for security vulnerabilities, but are used very differently. Here are some key differences between the two: Static Application Security Testing (SAST)Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) SASTSAST DASTDAST vs.vs. White box security testingWhite box security testing Black box security testingBlack box security testing Requires source codeRequires source code Requires a running applicationRequires a running application Finds vulnerabilities earlier in the SDLC Finds vulnerabilities earlier in the SDLC Finds vulnerabilities towards the end of the SDLC Finds vulnerabilities towards the end of the SDLC Less expensive to fix vulnerabilities Less expensive to fix vulnerabilities More expensive to fix vulnerabilities More expensive to fix vulnerabilities Runtime and environment- related issues can’t be discovered Runtime and environment- related issues can’t be discovered Runtime and environment- related issues can be discovered Runtime and environment- related issues can be discovered Typically supports all kinds of software Typically supports all kinds of software Typically scans only apps like web applications and web services. Typically scans only apps like web applications and web services. Tester has access to the underlying framework, design, and implementation. Tests the application from the inside-out. The developer approach. Tests the application from the outside-in. The hacker approach. Tester has no knowledge of the technologies or frameworks that the application is built on. Doesn’t require a deployed application. Analyzes source code or binaries without executing the application. Analyzes software by executing it. Doesn’t require source code or binaries. The scan can be executed as soon as code is deemed feature-complete. Vulnerabilities can be discovered after the development cycle is complete. Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to get the vulnerability remediated. Findings can often be fixed before the code enters the QA cycle. Since vulnerabilities are found towards the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. Since the tool scans static code, runtime vulnerabilities can’t be discovered. Since the tool uses dynamic analysis on an application, it is able to find runtime vulnerabilities. Examples include web applications, web services, and thick clients. DAST is not useful for other types of software. SAST and DAST techniques complement each other. Both need to be carried out for comprehensive testing. To learn how to create a comprehensive application security testing program, visit www.cigital.com.