Professional Documents
Culture Documents
DAST vs SAST
Drawbacks
High cost of human resources even with a tool it is very time consuming Not scalable Can only thoroughly test a limited number of apps, limited availability of trained resources High false positive rate with automated tools Unable to identify any weaknesses associated with runtime context
Most access control is loaded from a db no way to evaluate priv escalation Cant find issues outside code reviewed (web server, app server, etc) Cant determine if deployed web app is vulnerable (other controls in place like WAF)
More cost effective testing takes less time typically than static analysis and validation. Lower false positive rate than SAST
Most access control is loaded from a db can evaluate priv escalation Can find issues outside web app code (web server, app server, etc) Can determine if deployed web app is vulnerable (other controls in place like WAF)
Drawbacks
Cant identify logic related issues Cant identify weaknesses that are not in testing context Does not have visibility into security controls in the web application Cant identify some categories such as time bomb or back door inserted by malicious developer Can only test a limited number of paths
Can be fooled by filters, etc
Environment
Some tools require buildable environment which can be hard to setup
SAST
DAST
Identifies Logic flaws Definitive at the application level Identifies risks not visible to external testing (time bomb)
Identifies weaknesses outside the app code (web server, etc) Identifies weaknesses in user or runtime context
Limited Resources
Dont need resources able to understand software code Testing usually focuses on most common use cases Usually takes less effort
Insider Threat
Code may not have been developed under strong review and release controls or may have been acquired in merger, etc.
DAST can be used to ensure applications are tested on a regular basis and can be a first line of defense SAST testing can be used when additional depth of testing is required.
10
Questions
11
12
Thank You
Will Bechtel wbechtel@qualys.com
http://www.qualys.com/products/qg_suite/was/