Are Automated Scans Enough to Detect All Security Problems in an Application?

Automated Scanners Are Great Tools, But Are They Enough?

Spoiler alert: No, automated scanners alone cannot cover all aspects of a holistic application security plan. However, I suspect more details are in order, so I can’t end it here.

For this post, we’re really talking about two main types of automated scanners: Dynamic Analysis Scanning Testing (DAST) scanners and Static Analysis Scanning Testing (SAST) scanners. As implied in the name, DAST scanners run against an application that is running, whereas SAST scanners run against an application’s source code. We’re also going to take a look at the Payment Card Industry (PCI) scanner sub-category (generally these are DAST scanners, but SAST scanners will typically have a PCI setting as well).

So why are there two types? In short, each has its own set of strengths and weaknesses. For example, a SAST scanner can find hard-coded passwords and unencoded outputs incredibly easily; it’s looking directly at the source code, after all. Since a DAST scanner works so differently, it has a harder time finding those glaring source code issues. However, it is a bit easier for a DAST scanner to check for other issues, such as authorization. Not nearly as well as a human can, but still better than most SAST scanners. DAST scanners have one other benefits, including the fact that they can check web server configuration. This involves checking for things like default web server pages, fingerprinting, or directory browsing. In other words, each scanner brings something to the table, and by taking advantage of the strengths of both, a reasonably thorough application assessment can be performed.

flavor wheel Sign up here to get registered TODAY. Register before May 1st, 2019 and you can save $250!

About

Cypress Data Defense was founded in 2013 and is headquartered in Denver, Colorado with offices across the United States. Our goal is to help organizations secure their IT development and operations using a pragmatic, risk-based approach. The diverse background of our founders allows us to apply security controls to governance, networks, and applications across the enterprise.

Latest Posts

How to Integrate Security Into a DevOps Cycle

However, DevOps processes aren't restricted to…

Secure SDLC and Best Practices for Outsourcing

A secure software development life cycle (SDLC…

10 Best Practices for Application Security in the Cloud

According to Gartner, the global cloud market will…

Contact

Cypress Data Defense

PO Box 745224

Arvada, CO 80006


PH: 720.588.8133

FX: 720.388.1016


Email: info@cypressdatadefense.com


Social

© Cypress Data Defense, LLC | 2018 - All Rights Reserved