Security Testing is faster than any other security market in IT systems, as AST (Application security Testing) will be adapting to the new development methodologies. Experts say that 90% of the security incidents are the results of attackers exploiting known errors. TSA will become the support in the development of secure applications. These tests finds any errors from the scratch.
AST started as a manual process. In this current situation as to the growing modularity of enterprise software, large number of open source components is also known as vectors. AST must be automated.
Production
Development Integration Acceptance Pre prod stage RASP
SAST SCA SAST SAST
SCA DAST DAST
MAST
Static Application Security Testing(SAST)
SAST tools significantly used in the White box testing, in which testers inspect the inner workings of an application.SAST monitors static source code and reports on security weakness. Static testing tools that is implemented to non-compiled code to find issues as the syntax errors, math errors, and invalid or insecure references.
Benefits of SAST are
- It has extensive assistance for different programming.
- Integrates into existing environments. At different points in software development.
- It provides details of a problem, even a line of code. It simplifies repair.
- It takes a little time to examine the code and compare favourably with manual audits.
The drawbacks of SAST are
- The application cannot be tested in actual environment.
- Vulnerabilities in application logic or may be unsafe configuration Which are not discoverable.
- It proceeds to model code behaviour inaccurately.
- Developers will have to deal with many false positives and negatives.
- Here the result is a static report that is quickly becomes obsolete.Implementing technology at scale which can be challenging,the process can be slow and testing is not applicable to production systems.
- All companies or individuals will not provide data binary code and source code analysis.
Dynamic Application Security Testing
DAST tools has use in black box testing. They run code and inspect it in runtime, detecting issues that present security vulnerabilities. This has issues with query strings, requests and responses, there are used scripts, memory leakage, cookie and sessionhandling, authentication, execution of third party components, data injection and DOM injection.
The principle of testing circles around the introduction to test code path failures in an application. For example, it can be send malicious data to the software in order to identify common security vulnerabilities.
Benefits of DAST:
- Analysis has developers to find runtime issues which are not something SAST must be capable of doing. This authentication and network configuration failure or issues that arise after login.
- There are fewer false positives.
The drawbacks
- DAST Tools does not has information as the existing causes of vulnerabilities and also have complexity maintaining coding standards.
Interactive application testing
IAST tools and evolution of SAST and DAST tools that combines the two approaches to detect a wider range of security weakness. DAST tools, IAST tools will run dynamically and inspect software at runtime. They are run from within the application server by allowing them to inspect compiled source code. IAST tools will offer valuable information about the root cause of vulnerabilities and the specific lines of code which are affected making the remedial that is much easier. It can analyse source code data flow configuration and third party libraries and also suitable for API testing.
Mobile Application Security Testing (MAST)
MAST application tools has static analysis, dynamic analysis. They can test for security vulnerabilities like SAST, DAST, IAST and mobile issues like malicious wifi networks and data leakage from mobile devices.
Questions
1. What is application security testing?
2. Explain SAST, DAST?
