WP SAST, DAST & IAST | The 'Hows' of Applicaton Security Testing | Imperva



What Is SAST?

Static Application Security Testing (SAST), or “white-box”, tools inspect source code or binaries and provide feedback on possible vulnerabilities. These tools are used during the development phase of the SDLC.

Advantages of SAST include:

  • Fixing vulnerabilities is cheaper since it comes earlier in process
  • Analyzes 100% of codebase more quickly than possible by humans
  • Done before the application is in production and without execution of the program
  • Gives real-time feedback and graphical representations of issues found
  • Points out the exact location of vulnerabilities and problem code
  • Offers customized reports that can be exported and tracked with dashboards
  • Automation is possible

Disadvantages of SAST include:

  • Needs to synthesize data to test code leading to false positives
  • Language-dependency makes tools difficult to build and maintain, and requires a different tool for each language used
  • Not good at understanding libraries or frameworks, like API or REST endpoints
  • Unable to check calls or most argument values

What Is DAST?

Dynamic Application Security Testing (DAST), also known as “black-box” tools, test products during operation and provide feedback on compliance and general security issues. These tools are used during the testing and QA phase of the SDLC.

Advantages of DAST include:

  • Highlights authentication and server configuration issues
  • Language independent
  • Evaluates whole application and system
  • Checks memory consumption and resource use
  • Attempts to break encryption algorithms from outside
  • Verifies permissions to ensure isolation of privilege levels
  • Checks for cross-site scripting, SQL injection, and cookie manipulation
  • Tests for vulnerabilities in third-party interfaces
  • Understands arguments and function calls

Disadvantages of DAST include:

  • Doesn’t evaluate code itself or highlight vulnerabilities in code, only resulting issues
  • Used after development is complete so fixing vulnerabilities is more expensive
  • Large projects require custom infrastructure and multiple instances of the application run in parallel
  • Produces a large number of false positives


Differences between SAST and DAST include:

Takes the developer approach━testers have access to underlying framework, design and implementation Takes the hacker approach━testers have no knowledge of the internals
Requires source code or binary, doesn’t require program execution Execution of program required, don’t need access to code or binary
Early in the SDLC Late in the SDLC
Evaluates application Evaluates environment and runtime issues
Supports testing of sequential design process environments, real-time systems, mobile applications and software on embedded devices Supports testing of web applications and services, servers, databases and caches

Using Both SAST and DAST

SAST and DAST can and should be used together. When DAST tools are used, their outputs can be used to inform and refine SAST rules, improving early identification of vulnerabilities. This process of refinement allows SAST to be the primary method of uncovering issues and DAST to be the verification check before a product is pushed to production.

What Is IAST?

Interactive Application Security Testing (IAST) tools are developed to address the flaws in SAST and DAST tools by combining the two approaches. They are dynamic and identify issues during operation, like DAST, but run from inside the application server, and evaluate code like SAST. IAST tools only evaluate the part of the application exercised by the test and are used during the testing and QA phase of SDLC. They are most effectively used in QA environments with automated functional tests and as a companion to other tools.

Advantages of IAST include:

  • Able to integrate with continuous integration (CI) and continuous development (CD) tools
  • Provides detailed information on the root of vulnerabilities, including code location
  • Real-time results
  • Allows API testing, good for products using microservices
  • Promotes reuse of existing test cases
  • Integrates to allow an analysis of source code, runtime control and data flow, configuration, and use of libraries and frameworks
  • Combination of SAST and DAST functionality allows more accurate results and identification of a broader range of vulnerabilities

Disadvantages of IAST include:

  • Tools are proprietary, creating reliance on the supplier for support
  • Limited language support

RASP: Post Deployment Protection

RASP protection process

RASP protection process

RASP is the evolution of SAST, DAST and IAST tools. Runtime Application Self Protection (RASP) tools integrate with applications and analyze traffic and end-user behavior at runtime to prevent attacks. These tools are used after product release so they are more focused on security than testing.

Advantages of RASP include:

  • Runs continuous security checks and can respond to attacks with session termination or alerts
  • Integrates with the application, not reliant on network-level protections or remote connectivity
  • Has code-level visibility for greater protection
  • Provides a log of activity for analysis
  • Not language or platform dependent
  • Covers a broad range of vulnerabilities

Disadvantages of RASP include:

  • Can only be used in production
  • Tempting to use as a fallback for catching vulnerabilities, leading to less rigorous pre-release testing

See how Imperva RASP can help you with protecting your application.

Imperva RASP Solutions

Once you’re ready to deploy your applications, Imperva RASP is here to keep them protected and give you essential feedback for eliminating any additional risks. It requires no changes to code and integrates easily with existing applications and DevOps processes, protecting you from both known and zero-day attacks.

In addition, Imperva provides multi-layered protection to make sure websites and applications are available, easily accessible and safe. The Imperva application security solution includes:

  • DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.
  • CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.
  • WAF—cloud-based solution permits legitimate traffic and prevents bad traffic, safeguarding applications at the edge. Gateway WAF keeps applications and APIs inside your network safe.
  • Advanced bot protection—analyzes your bot traffic to pinpoint anomalies, identifies bad bot behavior and validates it via challenge mechanisms that do not impact user traffic.
  • API security—protects APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits of vulnerabilities.
  • Account takeover protection—uses an intent-based detection process to identify and defends against attempts to take over users’ accounts for malicious purposes.
  • RASP—keep your applications safe from within against known and zero‑day attacks. Fast and accurate protection with no signature or learning mode.
  • Attack analytics—mitigate and respond to real security threats efficiently and accurately with actionable intelligence across all your layers of defense.