Application security testing is the process of making applications more resistant to security threats, by identifying security weaknesses and vulnerabilities in source code.
AST started as a manual process. Today, due to the growing modularity of enterprise software, the huge number of open source components, and a large number of known vulnerabilities and threat vectors, Application security testing must be automated.
Static Application Security Testing (SAST)
Static Application Security Testing tools use a white box testing approach, in which testers inspect the inner workings of an application. Static Application Security Testing inspects static source code and reports on security weaknesses.
Static testing tools can be applied to non-compiled code to find issues like syntax errors, math errors, input validation issues, invalid or insecure references. They can also run on compiled code using binary and byte-code analyzers.
Dynamic Application Security Testing (DAST)
Dynamic Application Security Testing tools take a black-box testing approach. They execute code and inspect it in runtime, detecting issues that may represent security vulnerabilities. This can include issues with query strings, requests and responses, the use of scripts, memory leakage, cookie and session handling, authentication, execution of third-party components, data injection, and DOM injection.
Dynamic Application Security Testing tools can be used to conduct large-scale scans simulating a large number of unexpected or malicious test cases and reporting on the application’s response.
Interactive Application Security Testing (IAST)
Interactive Application Security Testing tools are the evolution of Static Application Security Testing and Dynamic Application Security Testing tools—combining the two approaches to detect a wider range of security weaknesses. Like Dynamic Application Security Testing tools, Interactive Application Security Testing tools run dynamically and inspect software during runtime. However, they are run from within the application server, allowing them to inspect compiled source code like Interactive Application Security Testing tools do.
Interactive Application Security Testing tools can provide valuable information about the root cause of vulnerabilities and the specific lines of code that are affected, making remediation much easier. They can analyze source code, data flow, configuration and third-party libraries, and are suitable for API testing.
Mobile Application Security Testing (MAST)
Mobile Application Security Testing tools combine static analysis, dynamic analysis and investigation of forensic data generated by mobile applications. They can test for security vulnerabilities like Static Application Security Testing, Dynamic Application Security Testing and Interactive Application Security Testing, and in addition address mobile-specific issues like jailbreaking, malicious wifi networks, and data leakage from mobile devices.
Software Composition Analysis (SCA)
Software Composition Analysis tools help organizations conduct an inventory of third-party commercial and open source components used within their software. Enterprise applications can use thousands of third-party components, which may contain security vulnerabilities. Software Composition Analysis helps understand which components and versions are actually being used, identify the most severe security vulnerabilities affecting those components, and understand the easiest way to remediate them.
Runtime Application Self-Protection (RASP)
Runtime Application Self-Protection tools evolved from Static Application Security Testing, Dynamic Application Security Testing and Interactive Application Security Testing. They are able to analyze application traffic and user behavior at runtime, to detect and prevent cyber threats.
Like the previous generation of tools, Runtime Application Self-Protection has visibility into application source code and can analyze weaknesses and vulnerabilities. It goes one step further by identifying that security weaknesses have been exploited, and providing active protection by terminating the session or issuing an alert.
Runtime Application Self-Protection tools integrate with applications and analyze traffic at runtime, and can not only detect and warn about vulnerabilities but actually prevent attacks. Having this type of in-depth inspection and protection at runtime makes Static Application Security Testing, Dynamic Application Security Testing and Interactive Application Security Testing much less important, making it possible to detect and prevent security issues without costly development work.