Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature, Tanya Janca discusses how to select the right DAST
and SAST tools for your organization.
Tanya Janca is the best-selling author of ‘Alice and Bob Learn Application Security’. She is the Director of Developer Relations and Community at Bright Security,
as well as the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty-five years, won countless awards, and has been everywhere
from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks on 6
continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
Tanya: DAST stands for dynamic application security testing. These are automated tools that are run against web applications and APIs, in attempts to find as many vulnerabilities as possible. For a dynamic testing tool to work properly the code must be
running, in form of a live application, so that the tool can interact with that code and see how that it works. The automated tool will click every link, attempt to visit every page, fill out forms and submit input to the application, attempting to
find any potential security problems.
These tools have been around for a very long period and are used in many organizations. They are also often used by penetration testers and security researchers to do a fast triage of an application.
Tanya: DAST Tools:
It is important to do some training and perform regular backups of the apps and data you are testing to ensure you don't accidentally make a ‘mess’ with a dynamic testing tool.
Tanya: SAST stands for static application security testing, which means it evaluates your written code. You don’t need to have a fully written, or ‘finished’, application when using SAST to find vulnerabilities. SAST is often also referred
to as “static analysis”. SAST tools pose zero risk to your code, application, and databases, as they don't need to put data into your application or interact with it in any way to find vulnerabilities. These tools have changed over the
past three years quite significantly, whereas there are now first generation and second generation static analysis tools.
Tanya: First generation static analysis tools tend to have an extremely high percentage of false positives, but they tend to find pretty much everything that could possibly be wrong with your application. This means that you need a security professional
to help you go through those results, which can be quite time consuming, however, you can have a greater assurance of security when using these tests.
Second generation SAST tools will run in seconds to minutes, as opposed to hours or days like first generation static analysis tools. They also provide a very high ratio of true positives when compared to false positives, with almost all the results they
report being correct.
That said, there are downsides. Second generation static analysis tools tend to find a lot of the things that are wrong, but not with 100% accuracy since they don't scan through every single part of the application. Due to the way they are built, it is
possible to miss some vulnerabilities.
Tanya: When selecting first or second generation static analysis tools keep the following in mind:
It is important to decide what the level of risk your organization can tolerate.
In my estimation, 95% of companies do not need to be perfect, they just need to be very expensive for malicious actors to attempt to exploit. In which case, second generation SAST is most likely the right choice for you.
READ: How to Solve DAST and SAST Tool Challenges
Tanya: Almost every single application security program has either static analysis, dynamic analysis, or both. That said, there are still many organizations around the world that have no application security program whatsoever. Some of them still have
these tools, but often it is the software developers that have implemented them. As of this writing, these two tools are some of the most commonly used types of application security tools. I'm not sure what the future will hold, but I would love to
see some innovation in this space.
Our Faculty are comprised of over 100 renowned security practitioners with deep, domain-based knowledge who understand - firsthand - the challenges faced by CISOs and their teams.
IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.