SAST and DAST: Part of a balanced software security initiative

The original version of this post was published on SecurityWeek.

“…is part of this balanced breakfast…”

This is the claim of many sugary cereals aimed directly at children. It is also the claim of many vendors in the software security market.

Selling cereal targeting children is an interesting proposition. To make the adults that ultimately have to buy the cereal feel better, the cereal in question is shown as a component of a larger breakfast offering composed of milk, fruit, toast, and some form of juice, with the suggestion that the cereal is part of a “complete” or “balanced” breakfast.

The goal here is to mollify fears that the cereal your child is requesting is the equivalent of crushing cookies and placing them in a bowl. By portraying the cereal as part of a balanced breakfast, the vendor is hoping you buy the intimation the cereal is an equal player in creating a healthy balance. Of course, the reality is that the balance is due largely to the milk, fruit, bread, and juice – the cereal actually brings down the nutritional score of the other assembled parts. Read at face value, the vendor is saying that the cereal on its own does not represent a balanced breakfast.

I use this metaphor because many testing vendors sell you a tool—their tool—as your answer to software security. If you carefully analyze their words, what you will see is that their tool is the bowl of sugary cereal bringing down your nutrition value. Like cereal ads, vendors speak to benefits of the milk, fruits, breads, and juice, but it is not their tool that delivers those benefits.

The truth is that, aside from tools, there are many types of application security testing (AST) that can be used to determine the vulnerabilities in software. Static (SAST) and dynamic (DAST) testing are the most established and widely used, but there are others. An accepted truth is that different types of tests will find different things. Business logic testing adds human security expertise to the process, finding vulnerabilities that automated scans may miss. So real accuracy—the balanced breakfast—is found in a combination of tools and human expertise.

Continue reading. 

Widen your range of testing with managed services.
 
Jim Ivers

Posted by

Jim Ivers

Jim Ivers

Jim Ivers is the senior director of marketing within Synopsys' Software Integrity Group where he leads all aspects of SIG's global marketing strategies, branding initiatives, and programs, as well as product management and product marketing. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Synopsys, Jim was the CMO at companies such as Cigital, Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.


More from Static Analysis (SAST)