March 28, 2018 By Cypress Data Defense In Technical
Spoiler alert: No, automated scanners alone cannot cover all aspects of a holistic application security plan. However, I suspect more details are in order, so I can’t end it here.
For this post, we’re really talking about two main types of automated scanners: Dynamic Analysis Scanning Testing (DAST) scanners and Static Analysis Scanning Testing (SAST) scanners. As implied in the name, DAST scanners run against an application that is running, whereas SAST scanners run against an application’s source code. We’re also going to take a look at the Payment Card Industry (PCI) scanner sub-category (generally these are DAST scanners, but SAST scanners will typically have a PCI setting as well).
So why are there two types? In short, each has its own set of strengths and weaknesses. For example, a SAST scanner can find hard-coded passwords and unencoded outputs incredibly easily; it’s looking directly at the source code, after all. Since a DAST scanner works so differently, it has a harder time finding those glaring source code issues. However, it is a bit easier for a DAST scanner to check for other issues, such as authorization. Not nearly as well as a human can, but still better than most SAST scanners. DAST scanners have one other benefits, including the fact that they can check web server configuration. This involves checking for things like default web server pages, fingerprinting, or directory browsing. In other words, each scanner brings something to the table, and by taking advantage of the strengths of both, a reasonably thorough application assessment can be performed.