We keep hear people talk static application security testing (SAST), dynamic application security testing (DAST) as two dominance application security testing, and off course not so mainstream of interactive application security testing (IAST), software composition analysis (SCA) and mobile application security testing (mobile AST). Some keep proposing SAST is the ultimate, because it handles the source code and the vulnerability is root, fixing the vulnerable code, we fix the vulnerability in the very early stage of the software development. This is why it should be the first choice if one AST to go, off course, that from the development point of view, and it needs the user to know how to use the output report, recommendations what to fix and capable to carry it out.
If you are not capable of understanding the programming language where the source code is built from, or your majority of the work does not involve source code, since you are mainly dealing with commercial-off-the-shelf (COTS), under that scenario, maybe dynamic application security testing will be a good start.
Of course, if you are affordable, having both SAST and DAST to cover your entire software development lifecycle, it will be an ideal scenario. With this combo of solutions, you cover the entire software development lifecycle, from development, security assurance, to production. If penetration testing is part of scope, you can add in manual application security testing (MAST), that is the complete solution.
Mobile application, before it is mobile app, it is in the source code form, so you can scan them with SAST. If you want to perform mobile app pentesting, you can proxy it over to your DAST, make use of manual AST to cover your mobile app security requirements. It is good you can follow mobile app security testing standards, if serious mobile application is in concern.
We do not believe in one tool better than another, since it needs to depend on the use case, you need the right tool for the right case. Of course, if your application security testing is just one off or ad hoc basis, maybe engaged managed application security testing providers will be the good way, since you no need to keep and maintain the tool you no longer needed, which over the long run will help your company save a lot.
E-SPIN Group in the business of enterprise ICT solution supply, consulting, project management, training and maintenance for multinational corporations and government agencies across the region we do business with. For the application security testing (AST) domain, feel free to engage E-SPIN for the complete solution or point solution, to even manage service or project services engagement. E-SPIN will be there to perform differently to assist customers for the various requirements.