Making sense of the SAST, DAST, IAST, RASP soup

Software security scanner market today is now mature enough to have its own jargon, built largely by vendor marketing teams. As such, it's primarily designed to help you get rid of your infosec budget rather than help you design a reasonable security assurance architecture.

SAST (Static Application Security Testing)

"Static" in this context means source code, nothing else. The simplest SAST scanner is grep (today I'd use rg) and it would be an example of a pattern-based SAST scanner. Want to find all occurences in C code where strcpy is used? Just run rg strcmp and it will recursively scan your code base for all occurences of the string. This how first scanners operated back in 2000's, and this is how some scanners on the market still work, especially with more esoteric programming languages such as SAP ABAP. This method is however quite blind to the context of the potentially dangerous function call or even data flow spanning across multiple lines of the code.

This is why new generation of scanners was created that actually understands the application's code and data flow, usually using Abstract Syntax Tree (AST) but also much more interesting techniques are employed such as code emulators etc. The scanner builds an in-memory model of all the possible application execution flows and then queries it for known vulnerabilities, often with a whole SQL-like query syntax. Scanners I much respect like Checmarx and Semmle operate this way.

Pros

  • Static scanning can be performed from the very first line of the code written.
  • You don't need a working build environment, libraries, compiler etc.
  • These features allow to start scanning very early into the project, deploy scanner on developer workstations but also scan third-party code.
  • Static scan will also cover all of the supplied code, so it can find potentially dangerous constructs even in code blocks that are executed under very unusual conditions.

Limitations

  • Static scanner will just see the source code supplied. It will not see source code for third-party libraries compiled into your application, unless you explicitly scan them too.
  • It will not see vulnerabilities in infrastructure components such as load balancers, proxies, web servers, operating system and everything else that makes a "web application".
  • Most static scanners require careful tuning: if you drop an existing, large application code in a static scanner you will likely get literally thousands of high-severity alerts. Amount of work needed to filter those that you should be actually worried about is often not much less than finding them from scratch.