What Is SAST
The acronym “SAST” stands for Static Application Security Testing.
Many people tend to develop an application that could automate or execute processes very fast and also improve performance and user experience thereby forgetting the negative impact an application that lacks security could cause.
Security testing is not about speed or performance rather it is about finding vulnerabilities.
Why is it Static? This is because the test is done before an application is live and running. SAST can help to detect vulnerabilities in your application before the world finds them.
How Does It Work
SAST uses a testing methodology of analyzing a source code to detect any traces of vulnerabilities that could provide a backdoor for an attacker. SAST usually analyzes and scans an application before the code is compiled.
The process of SAST is also known as White Box Testing. Once a vulnerability is detected the next line of action is to check the code and patch the code before the code will be compiled and deployed to live.
White Box Testing is an approach or method that testers use to test the inner structure of software and see how it integrates with the external systems.
What Is DAST
“DAST” stands for Dynamic Application Security Testing. This is a security tool that is used to scan any web application to find security vulnerabilities.
This tool is used to detect vulnerabilities inside a web application that has been deployed to production. DAST tools will always send alerts to the security team assigned for immediate remediation.
DAST is a tool that can be integrated very early into the software development lifecycle and its focus is to help organizations to reduce and protect against the risk that application vulnerabilities could cause.
This tool is very different from SAST because DAST uses the Black Box Testing Methodology, it conducts its vulnerability assessment from outside as it does not have access to the application source code.
DAST is used during the testing and QA phase of SDLC.
What Is IAST
“IAST” stands for Interactive Application Security Testing.
IAST is an application security tool that was designed for both web and mobile applications to detect and report issues even while the application is running. Before someone can comprehend the understanding of IAST fully, the person must know what SAST and DAST actually mean.
IAST was developed to stop all the limitations that exist in both SAST and DAST. It uses the Grey Box Testing Methodology.
How Exactly Does IAST Work
IAST testing occurs in real-time just like DAST while the application is running in the staging environment. IAST can identify the line of code causing security issues and quickly inform the developer for immediate remediation.
IAST also checks the source code just like SAST but this is at the post-build stage unlike the SAST that occur while the code is been built.
IAST agents is usually deployed on the application servers, and when DAST scanner performs it’s work by reporting a vulnerability the IAST agent that is deployed will now return a line number of the issue from the source code.
The IAST agents can be deployed on an application server and during functional testing performed by a QA tester, the agent study every pattern that a data transfer inside the application follows regardless of whether it’s dangerous or not.
For example, if data is coming from a user and the user wants to perform an SQL Injection on the application by appending SQL query to a request, then the request will be flagged as dangerous.
What Is RASP
“RASP” stands for Runtime Application Self Protection.
RASP is a runtime application that is integrated into an application to analyze inward and outward traffic and end-user behavioral pattern to prevent security attacks.
This tool is different from the other tools as RASP is used after product release which makes it a more security-focused tool when compared to the others that are known for testing.
RASP is deployed to a web or application server which makes it to sit next to the main application while it’s running to monitor and analyze both the inward and outward traffic behavior.
Immediately once an issue is found, RASP will send alerts to the security team and will immediately block access to the individual making request.
When you deploy RASP, it will secure the whole application against different attacks as it does not just wait or try to rely only on specific signatures of some known vulnerabilities.
RASP is a complete solution that observes every little detail of different attacks on your application and also knows your application behavior.