Application Security Testing for Pipeline Security: SAST & DAST

What is an application security testing? Application security testing is a part of crucial software development process that makes new or updated software applications do not contain security vulnerabilities as well as being more resistance to security threats.

Organisations have begun to adopt DevOps practice as a way to speed up the process to deliver application and software services.
The core methodology of DevOps approach is continuous integration (CI) and continuous delivery (CD) that emphasize on task automation. Thus, it is important to add application security testing to the CI/CD pipeline. In addition, the increase of the number of known vulnerabilities and threat vectors due to the increase of open source components and enterprise software.

There most common types of application security testing for pipeline security are static application security testing (SAST) and dynamic application security testing (DAST).

Static Application Security Testing (SAST)

SAST functions to analyse, scan can check the source codes of an application to detect vulnerable codes that can lead to security issues. There are many benefits of integrating SAST into the CI/CD pipelines. When integrated into CI/CD pipelines, SAST tools enhances the speed of delivering secure application. This is because SAST tool offers secure automation by having the ability to improve source code as well as providing information about the security issues on the source code application before being deployed to the users.

Dynamic Application Security Testing (DAST)

DAST focuses on detecting vulnerabilities that exist outside the application by testing the running applications. The testing is based on the hacker approach where malicious attacks is simulated and tested on the application to identify potential vulnerabilities. SQL injection, cross-site scripting (XXS) and Cross Site Request Forgery (CSRF) are among the vulnerabilities that can be detected by DAST. Similar to SAST, when integrated to the CI/CD pipeline, DAST offers early detection of cyber risk before the publishing of the applications.

Differences between DAST and SAST

In comparison, SAST analyses the source code without running the application while DAST requires a running application and does not require source code. SAST is described as white box security as the application is tested inside out while DAST is labelled as black box security since the testing is from done outside in. In other words, SAST is approach based on developers view while DAST make use of hacker approach in finding vulnerabilities in the application.  In term of vulnerabilities detection, SAST find vulnerabilities earlier in the SDLC while DAST find vulnerabilities at the end of the SDLC.

In conclusion, SAST and DAST compliment each other in securing the CI/CD pipeline. Therefore, integrating both SAST and DAST are essential in reducing risk and enabling the project team to produce high quality software applications or services.