Integrating dynamic analysis is a great way to capture low-hanging fruit in staging or production. It is an easy win on a vendor security questionnaire.
Dynamic analysis is the process of running a scan on the target system (such as a network, infrastructure, APIs, GraphQL, or otherwise) to find vulnerabilities, ideally before shipping the application. Dynamic analysis is a great way also to find any configuration issues, missing security headers, unnecessarily open ports, and other security issues that would manifest themselves only when the application is running.
One of the benefits of dynamic analysis is that it finds evidence-based security testing. Usually, the scanner would present evidence on why this is a security issue. In comparison, static analysis often finds theoretical vulnerabilities, which are not always exploitable vulnerabilities.
The value of dynamic analysis is improved if it was integrated into the software development process, ideally into the Continuous Integration (CI) stage.
Here are the three things you should look out for when choosing the scanner:
Automating dynamic security testing requires the scanner to be running in a headless mode. The scan should be easily scripted from your automation server. There are some great scanners out there but they only run in a desktop mode, meaning someone has to configure the scan and click a button. Those are not the best for integration into the CI/CD pipeline
Not all scanners are created equal. Some are better for API or Web-based applications (non-API powered), while others are ideal for mobile. A fourth option is great for infrastructure-based scanning. It is very rare that a scanner would be able to cover everything as efficiently. So prioritize your needs, and pick your scanner appropriately.
Nothing is more frustrating than a tool that delays the CI/CD run by more than 10-15%. Most scanners take hours to run, not minutes, which would introduce delays to the build process. Some newer scanners have the ability to scan parts of the application, which would speed it up.
SAST and DAST are often used in tandem. As a static analysis screening tool, SAST is better at flagging coding errors, while DAST is better at finding runtime errors. Using DAST alongside SAST solutions also helps to mitigate the high risk of false positives that SAST solutions tend to provide.
Interactive application security testing (IAST) takes more into consideration for modern web and mobile apps than SAST or DAST solutions typically will. IAST combines aspects of both DAST and SAST in order to perform its analysis in real-time within the application and anywhere the development provides. IAST can also function in a continuous integrated environment, QA, or in the production environment.
Run-time application security protection (RASP) is the most different from SAST, DAST, and IAST. Less of a testing tool, RASP is more focused on everyday security protection within the application by controlling application execution and protecting the app when it has been breached. In this way, it’s an excellent bonus tool in addition to security testing.
See a deeper comparison of DAST, SAST, IAST and RASP here.
301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4
