1. Static Application Security Testing (SAST) :
It is a type of white box testing method meaning they require access to source code to function. It finds all security vulnerabilities including software flaws and weaknesses such as SQL injection and others by examining code before it is deployed. SAST does not require a running system to perform evaluations.
Static Application Security Testing (SAST) is a highly scalable security testing method. It can be automated also which will help in saving time and money. SAST testing is performed early in Software Development Life Cycle (SDLC), so it is easy to find potential security vulnerabilities earlier.
2. Dynamic Application Security Testing (DAST) :
It is a type of black-box testing method which means that tests are performed from outside a functioning application rather than viewing into internal source code or application architecture. It is running to find a broad range of vulnerabilities by examining application. DAST requires a running system to perform evaluations.
Different security vulnerabilities that are linked to operational deployment of a software application can be determined through Dynamic Application Security Testing (DAST). In DAST, testers perform actions similar to an attacker so that it helps in finding out different security vulnerabilities that may be missed by other testing techniques.
Difference between Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) :
S.NO. |
Static Application Security Testing |
Dynamic Application Security Testing |
---|---|---|
1. | SAST is a type of White Box security testing. | DAST is type of Black Box security testing. |
2. | In SAST, application is tested from inside out. | In DAST, application is tested from outside in. |
3. | This type testing is a developers approach of testing. | This type testing is a hackers approach of testing. |
4. | No deployed application is required for Static Application Security Testing. | A running application is required for Dynamic Application Security Testing. |
5. | Finding vulnerabilities, identifying and fixing bugs is easier in SAST. | Finding vulnerabilities towards end of SDLC. |
6. | Fixing vulnerabilities is possible with little cost assistance. | It finds vulnerabilities towards end of SDLC, hence it is expensive to do so. |
7. | SAST can not discover issues related run time and environment. | DAST can discover issues related to run time and environment. |
8. | Typically it supports all types of software like web applications, web services, thick client. | Typically it only scans apps like web applications, web services but not other types of software. |
9. | In this testing, developer has knowledge about design, application framework and implementation. | In this testing, tester has no knowledge about application, design, frameworks and implementation that application is built on. |
10. | SAST testing requires source code to perform testing operation. | DAST testing does not require source code to perform testing operation. |
11. | As it scans static code and performs its testing operation that is why it is called Static Application Security Testing (SAST). | As it scans dynamic code and performs its testing operation that is why it is called Dynamic Application Security Testing (DAST). |
12. | This testing is performed in early stages of Software Development Life Cycle (SDLC). | This testing is performed at end of Software Development Life Cycle (SDLC). |
13. | In SAST, there is costly long duration dependent on experience of tester. | In DAST, tester is unable to perform comprehensive application analysis since this is carried our externally. |
14. | In SAST, tester is able to perform comprehensive application analysis. | DAST can be done faster as compared to other types of testing due to restricted scope. |