Try   HackMD

Methods to identify and mitigate security vulnerabilities in software

Static Application Security Testing (SAST)

  • What it is: SAST tools analyze source code, byte code, or binaries for vulnerabilities without executing the program.
  • Pros:
    • Can be used early in the development process, making it easier and cheaper to fix issues[2].
    • Provides complete code coverage and can detect theoretical issues[10].
  • Cons:
    • May produce false positives and require expert tuning[10].
    • Cannot identify runtime vulnerabilities or third-party interface defects[15].
  • Examples: SpotBugs, PMD[1].

Dynamic Application Security Testing (DAST)

  • What it is: DAST tools test applications from the outside while they are running, simulating attacks to find vulnerabilities.
  • Pros:
    • Language agnostic and takes a real-world approach to testing[8].
    • Can identify vulnerabilities in the outer layers of applications[9].
  • Cons:
    • Requires a running application, so it's used later in the development process[2].
    • May miss vulnerabilities if not configured properly[4].
  • Examples: ZAP[1].

Software Composition Analysis (SCA)

  • What it is: SCA tools analyze open source components within an application to detect known vulnerabilities.
  • Pros:
    • Provides detailed security information about vulnerabilities in third-party components[1].
    • Can be used to meet compliance standards like PCI[2].
  • Cons:
    • Not a real-time process and success depends on the currency of vulnerability databases[7].
    • Does not analyze proprietary source code[9].
  • Examples: OWASP Dependency-Check[1].

Manual Penetration Testing (MPT)

  • What it is: MPT involves human testers attempting to find and exploit vulnerabilities in an application or network.
  • Pros:
    • Can catch complex vulnerabilities like authorization issues and business logic flaws[4].
    • Provides a human perspective that can uncover issues automated tools might miss[4].
  • Cons:
    • Time-consuming and typically more expensive than automated testing[4].
    • Requires skilled professionals to perform the tests effectively[10].

Similarities

  • All methods aim to identify and mitigate security vulnerabilities in software.
  • They can be part of a comprehensive security testing strategy, often used in combination for better coverage[4].

When to Use Each

  • SAST: Early in the development process for in-house code analysis[2].
  • DAST: Later in the development process for running applications, especially web applications[5].
  • SCA: Throughout the development process to manage third-party component vulnerabilities[7].
  • MPT: Periodically, to catch vulnerabilities that automated tools may not detect[4].

Combining Approaches

  • Using SAST, DAST, SCA, and MPT together provides a defense-in-depth strategy, covering different aspects of application security and reducing the risk of vulnerabilities slipping through[4].
  • For example, SAST can be used to identify potential vulnerabilities early, while DAST can test those vulnerabilities in a running application to see if they are exploitable[5].
  • SCA complements SAST by covering third-party components, and MPT provides the final human verification[4].

In conclusion, each testing method has its strengths and weaknesses, and the best approach often involves a combination of SAST, DAST, SCA, and MPT to ensure comprehensive application security.

Citations:
[1] https://fluidattacks.com/blog/differences-between-sast-sca-dast/
[2] https://snyk.io/learn/application-security/sast-vs-dast/
[3] https://www.trustradius.com/products/veracode/reviews?qs=pros-and-cons
[4] https://www.veracode.com/blog/managing-appsec/defense-depth-why-you-need-dast-sast-sca-and-pen-testing
[5] https://www.csoonline.com/article/568049/top-sast-and-dast-tools.html
[6] https://techbeacon.com/sast-dast-iast-rasp-pros-cons-how-choose
[7] https://www.techtarget.com/searchsecurity/tip/Understanding-3-key-automated-DevSecOps-tools
[8] https://praetoriansecure.com/sast-vs-dast-vs-sca-which-method-works-best/
[9] https://forwardsecurity.com/sast-sca-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/
[10] https://www.clouddefense.ai/the-differences-between-sca-sast-and-dast/
[11] https://www.reddit.com/r/devsecops/comments/159d4zd/security_tools_for_devsecops_toolchain/?rdt=59709
[12] https://fluidattacks.com/blog/security-testing-fundamentals/
[13] https://securityboulevard.com/2020/12/defense-in-depth-why-you-need-dast-sast-sca-and-pen-testing/
[14] https://docs.fluidattacks.com/about/compare/mpt/
[15] https://devops.com/sast-dast-sca-whats-best-for-appsec-testing/
[16] https://blog.shiftleft.io/sast-vs-dast-vs-sca-a-comparison-2d42cea6579f?gi=abc9059e009e

Last changed by 
ESM
Enterprise Solution Management
0
156

Read more

Untitled

To rewrite the instruction more clearly for undergraduate students, especially considering the context of IT Service Management - Change Management, the following version could be more accessible:

Mar 14, 2024
DevSecOps

DevSecOps, which stands for development, security, and operations, integrates security practices into every phase of the software development lifecycle. Here is a brief timeline highlighting the evolution of the concept:

Mar 10, 2024
Managing Vulnerabilities

What it is: SAST tools analyze source code, byte code, or binaries for vulnerabilities without executing the program.

Mar 10, 2024
Capability Visually Explained

Creating visual representations for different levels of chef expertise in Asian cuisine involves showcasing the complexity, presentation, and ingredients of the dishes. Here's how you can conceptualize these levels through images:

Mar 9, 2024
Read more from ESM
Published on HackMD