Static Application Security Testing (SAST) tests the source code, byte code or the binary of an application to detect security vulnerabilities by identifying specific patterns in the code. Dynamic Application Security Testing (DAST) assesses application binaries for security vulnerabilities from the outside without access to source code.
Tony Ramirez is a former Senior Application Security Analyst at NowSecure. He holds a master’s degree in cyber forensics and security from Illinois Institute of Technology.
Why are static app tests a problem?
Static source code scanners create a lot of false positives and false positives suck. Dynamic testing reduces false positives, shows you real results, and gets you a faster turn around in fixing issues in your apps.
What is the difference between SAST vs. DAST?
Static Application Security Testing (SAST) tests the source code, byte code or the binary of an application to detect security vulnerabilities by identifying specific patterns in the code. Dynamic Application Security Testing (DAST) assesses application binaries for security vulnerabilities from the outside without access to source code.
The Difference Between Static and Dynamic Testing
The differences between static and dynamic really aren’t that complicated. What you’re doing with static analysis is you’re looking for certain parameters, certain strings, certain text — you know if that combination is used, it’s typically that issue. You need source code to do that.
If a developer leaves code in that never gets actually called upon, it never gets used … static source code scanners actually look at those spots, they might lead to false positives or even worse, a false negative, and that causes a huge amount of problems.
Static source code scanning leads to a lot of work for developers and creates a lot of false issues. Dynamic on the other hand, we’re actually observing the act. We’re seeing how it runs on a device. It would be like reading about how to be a runner, versus watching somebody run and learning how their technique works. That’s what we’re doing.
Why are false positives so bad?
The reason we say false positive suck is because they do. A lot of organizations out there are trying to fix their app as quickly as possible. False positives really cut down on the time they can spend doing better testing, fixing bigger problems, and really helping train their security analysts and developers. False positives suck.
NowSecure’s dynamic security testing can help transform your app development cycle. Try a demo today to see what it can do for you.