# Methods to identify and mitigate security vulnerabilities in software [toc] ## Static Application Security Testing (SAST) - **What it is**: SAST tools analyze source code, byte code, or binaries for vulnerabilities without executing the program. - **Pros**: - Can be used early in the development process, making it easier and cheaper to fix issues[2]. - Provides complete code coverage and can detect theoretical issues[10]. - **Cons**: - May produce false positives and require expert tuning[10]. - Cannot identify runtime vulnerabilities or third-party interface defects[15]. - **Examples**: SpotBugs, PMD[1]. ## Dynamic Application Security Testing (DAST) - **What it is**: DAST tools test applications from the outside while they are running, simulating attacks to find vulnerabilities. - **Pros**: - Language agnostic and takes a real-world approach to testing[8]. - Can identify vulnerabilities in the outer layers of applications[9]. - **Cons**: - Requires a running application, so it's used later in the development process[2]. - May miss vulnerabilities if not configured properly[4]. - **Examples**: ZAP[1]. ## Software Composition Analysis (SCA) - **What it is**: SCA tools analyze open source components within an application to detect known vulnerabilities. - **Pros**: - Provides detailed security information about vulnerabilities in third-party components[1]. - Can be used to meet compliance standards like PCI[2]. - **Cons**: - Not a real-time process and success depends on the currency of vulnerability databases[7]. - Does not analyze proprietary source code[9]. - **Examples**: OWASP Dependency-Check[1]. ## Manual Penetration Testing (MPT) - **What it is**: MPT involves human testers attempting to find and exploit vulnerabilities in an application or network. - **Pros**: - Can catch complex vulnerabilities like authorization issues and business logic flaws[4]. - Provides a human perspective that can uncover issues automated tools might miss[4]. - **Cons**: - Time-consuming and typically more expensive than automated testing[4]. - Requires skilled professionals to perform the tests effectively[10]. # Similarities - All methods aim to identify and mitigate security vulnerabilities in software. - They can be part of a comprehensive security testing strategy, often used in combination for better coverage[4]. # When to Use Each - **SAST**: Early in the development process for in-house code analysis[2]. - **DAST**: Later in the development process for running applications, especially web applications[5]. - **SCA**: Throughout the development process to manage third-party component vulnerabilities[7]. - **MPT**: Periodically, to catch vulnerabilities that automated tools may not detect[4]. # Combining Approaches - Using SAST, DAST, SCA, and MPT together provides a defense-in-depth strategy, covering different aspects of application security and reducing the risk of vulnerabilities slipping through[4]. - For example, SAST can be used to identify potential vulnerabilities early, while DAST can test those vulnerabilities in a running application to see if they are exploitable[5]. - SCA complements SAST by covering third-party components, and MPT provides the final human verification[4]. In conclusion, each testing method has its strengths and weaknesses, and the best approach often involves a combination of SAST, DAST, SCA, and MPT to ensure comprehensive application security. Citations: [1] https://fluidattacks.com/blog/differences-between-sast-sca-dast/ [2] https://snyk.io/learn/application-security/sast-vs-dast/ [3] https://www.trustradius.com/products/veracode/reviews?qs=pros-and-cons [4] https://www.veracode.com/blog/managing-appsec/defense-depth-why-you-need-dast-sast-sca-and-pen-testing [5] https://www.csoonline.com/article/568049/top-sast-and-dast-tools.html [6] https://techbeacon.com/sast-dast-iast-rasp-pros-cons-how-choose [7] https://www.techtarget.com/searchsecurity/tip/Understanding-3-key-automated-DevSecOps-tools [8] https://praetoriansecure.com/sast-vs-dast-vs-sca-which-method-works-best/ [9] https://forwardsecurity.com/sast-sca-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/ [10] https://www.clouddefense.ai/the-differences-between-sca-sast-and-dast/ [11] https://www.reddit.com/r/devsecops/comments/159d4zd/security_tools_for_devsecops_toolchain/?rdt=59709 [12] https://fluidattacks.com/blog/security-testing-fundamentals/ [13] https://securityboulevard.com/2020/12/defense-in-depth-why-you-need-dast-sast-sca-and-pen-testing/ [14] https://docs.fluidattacks.com/about/compare/mpt/ [15] https://devops.com/sast-dast-sca-whats-best-for-appsec-testing/ [16] https://blog.shiftleft.io/sast-vs-dast-vs-sca-a-comparison-2d42cea6579f?gi=abc9059e009e