Security testing is software testing technique that helps discover vulnerabilities in all types of application software and completed at each stage of the application development.
In this blog, let’s look at two categories of security testing specific to web application development:
1. Static Application Security Testing
2. Dynamic Application Security Testing
- Static Application Security Testing (SAST):
SAST, also known as the white box testing helps discover vulnerabilities in the application source code during the development phase (source code review). Different tools are used to scan the code before compilation to enable the developer identify bugs and fix them promptly helping to reduce the production time.
Very recently, SAST tools have become an integral part of the Secure Development Life Cycle (SDLC) to improve security of the application. Most developers and organisations today rely on SAST to improve application security.
- Dynamic Application Security Testing (DAST):
Whilst SAST analyses the source code during development, Dynamic Application Security Testing finds vulnerabilities and weaknesses during pre-production stage. There are two methods of Dynamic Application Security Testing –
1. Grey box testing: requires credentials to access application
2. Black box testing: no credentials required
DAST tools are also called “black box” tools. These tools help developers find potential flaws inside the applications through penetration testing. DAST does not require access to the code or binary files to expose business logic vulnerabilities in sensitive and confidential applications.
We have two other security testing categories to be aware of –
- Interactive Application Security Testing (IAST):
IAST is the combination of DAST and RASP (Runtime Application Security Protection). IAST works inside the application, identifies and analyses code for security vulnerabilities run by automated test, a human tester or by interacting with application functionality. This type of analysis helps developers fix vulnerabilities in real-time. IAST can only be carried out at the functional testing level and not the entire application or codebase.
- Mobile Application Security Testing (MAST):
The use of MAST has evolved extensively due to the use of mobile internet. This particular type testing is conducted to protect users and organisations from cyber-attacks by securing mobile applications from security breaches. MAST includes authentication, authorisation, data security vulnerabilities for hacking and session management.
In MAST, both SAST and DAST behavioural analysis using static and dynamic techniques are performed to discover malicious or potentially risky actions executed in the app unknown to the user (for example, activating the user’s address book or GPS).
The purpose of security testing is to keep the application and data safe and confidential. Either your in-house testing team or an external security testing company should help you stay compliant in this rigorous compliance driven business.
While there are many testing categories, is there anything in specific that you think we should include in our blog? Please comment below.