Information Security
Random


Click random to get a fresh chapter.

Principles of Information Security: Security Testing (SAST, DAST, IAST, RASP)




Security Testing (SAST, DAST, IAST, RASP)

Security Testing (SAST, DAST, IAST, RASP) – Exam-Ready Study Guide

What This Is

Security testing identifies vulnerabilities in applications, infrastructure, and processes before attackers exploit them. Without it, organizations risk data breaches, compliance violations, and financial loss—like the 2017 Equifax breach (147M records exposed due to an unpatched Apache Struts vulnerability) or 2021 Log4j (CVE-2021-44228), where a simple logging flaw led to remote code execution (RCE) in thousands of systems. These methods (SAST, DAST, IAST, RASP) provide layered defense by catching flaws at different stages of the software development lifecycle (SDLC).

Key Terms & Concepts

  • SAST (Static Application Security Testing): Analyzes source code, bytecode, or binaries without executing the program (e.g., during development). Finds flaws like SQL injection, hardcoded secrets, or buffer overflows. Tools: SonarQube, Checkmarx, Fortify. Standards: OWASP Top 10, CWE (Common Weakness Enumeration).

  • DAST (Dynamic Application Security Testing): Tests a running application (e.g., in staging/production) by simulating attacks (e.g., fuzzing, XSS, CSRF). Mimics a hacker’s perspective but misses code-level issues. Tools: OWASP ZAP, Burp Suite, Nessus. Standards: OWASP Testing Guide, NIST SP 800-115.

  • IAST (Interactive Application Security Testing): Combines SAST + DAST by instrumenting the runtime environment (e.g., via agents) to monitor code execution while the app runs. Catches vulnerabilities like insecure deserialization or race conditions. Tools: Contrast Security, HCL AppScan IAST. Requires app instrumentation (may impact performance).

  • RASP (Runtime Application Self-Protection): Embeds security into the app (e.g., via libraries or agents) to block attacks in real time (e.g., SQLi, RCE). Unlike WAFs (which protect at the network layer), RASP operates inside the app. Tools: Signal Sciences, Imperva RASP. Standards: MITRE ATT&CK (T1190 – Exploit Public-Facing App).

  • OWASP Top 10: A ranked list of critical web app risks (e.g., Broken Access Control, Cryptographic Failures). Used as a baseline for SAST/DAST tools. Updated every 3–4 years (latest: 2021).

  • CWE (Common Weakness Enumeration): A community-developed list of software weaknesses (e.g., CWE-89: SQL Injection, CWE-79: XSS). Used by SAST tools to classify vulnerabilities.

  • CVSS (Common Vulnerability Scoring System): Quantifies vulnerability severity (0–10 scale) based on exploitability, impact, and scope. Example: Log4j (CVE-2021-44228) scored 10.0 (Critical). Used in NIST NVD (National Vulnerability Database).

  • Shift Left: Integrating security early in the SDLC (e.g., SAST in CI/CD pipelines) to reduce cost and risk. Opposite of "bolt-on" security (e.g., DAST in production).

  • CI/CD Pipeline: Continuous Integration/Continuous Deployment – automates testing and deployment. Security tools (SAST/DAST) are often integrated here (e.g., GitHub Actions, Jenkins, GitLab CI).

  • False Positive vs. False Negative:

  • False Positive: Tool flags a non-existent vulnerability (wastes time).

  • False Negative: Tool misses a real vulnerability (security risk). Goal: Balance precision (low false positives) and recall (low false negatives).

  • WAF (Web Application Firewall): Network-layer defense (e.g., AWS WAF, Cloudflare) that filters malicious HTTP traffic (e.g., SQLi, XSS). Not a replacement for SAST/DAST (only blocks known attack patterns).

  • MITRE ATT&CK: A framework of adversary tactics/techniques (e.g., T1190 – Exploit Public-Facing App). Used to map vulnerabilities to real-world attacks.

Step-by-Step / Process Flow

How to Implement Security Testing in the SDLC

  1. Plan (Define Scope & Tools)
  2. Identify critical apps (e.g., payment systems, PII handlers).
  3. Select tools based on language/framework (e.g., SonarQube for Java, OWASP ZAP for web apps).

  4. Align with compliance requirements (e.g., PCI DSS, GDPR, NIST SP 800-53).

  5. Integrate SAST Early (Shift Left)

  6. Run SAST in the IDE (e.g., VS Code with SonarLint) or CI/CD pipeline (e.g., GitHub Actions).
  7. Example: Checkmarx scans code on every commit for SQLi, hardcoded passwords.

  8. Triage results: Prioritize by CVSS score and business impact.

  9. Test Dynamically (DAST in Staging)

  10. Deploy DAST in a pre-production environment (e.g., OWASP ZAP automated scans).
  11. Test for OWASP Top 10 vulnerabilities (e.g., Broken Authentication, Sensitive Data Exposure).

  12. Manual testing: Use Burp Suite for advanced attacks (e.g., CSRF, SSRF).

  13. Enhance with IAST (Optional but Powerful)

  14. Instrument the app with an IAST agent (e.g., Contrast Security) to catch runtime flaws (e.g., insecure deserialization).

  15. Example: IAST detects a race condition that SAST/DAST missed.

  16. Deploy RASP for Production Protection

  17. Embed RASP libraries (e.g., Signal Sciences) into the app to block attacks in real time.

  18. Example: RASP blocks a SQLi attempt and logs the attacker’s IP for SOC analysis.

  19. Continuous Monitoring & Feedback Loop

  20. SIEM integration: Send SAST/DAST/IAST/RASP alerts to Splunk or QRadar.
  21. Patch management: Prioritize fixes based on CVSS + business risk.
  22. Retest: Re-run scans after fixes to confirm remediation.

Common Mistakes

Mistake Correction
Assuming SAST catches everything SAST misses runtime flaws (e.g., race conditions, logic bombs). Use DAST/IAST to complement it.
Running DAST in production DAST can crash apps or corrupt data. Always test in staging first.
Ignoring false positives Tune tools to reduce noise (e.g., exclude test files, adjust sensitivity). Otherwise, teams ignore alerts.
Treating RASP as a silver bullet RASP doesn’t replace secure coding. It’s a last line of defense, not a substitute for SAST/DAST.
Not retesting after fixes Vulnerabilities can reappear after code changes. Automate retesting in CI/CD.

Certification Exam Tips

CISSP (Management Perspective)

  • Question Trap: "Which testing method provides the earliest feedback in the SDLC?"
  • Answer: SAST (runs during development). DAST/IAST are later stages.
  • Key Distinction: SAST = White-box (sees code), DAST = Black-box (sees only inputs/outputs).
  • RASP vs. WAF: RASP protects the app from within, while WAF filters traffic at the network layer.

Security+ (Technical Perspective)

  • Question Trap: "Which tool is best for finding SQL injection in a running web app?"
  • Answer: DAST (e.g., OWASP ZAP). SAST finds it in code, but DAST confirms it’s exploitable.
  • OWASP Top 10: Memorize the top 3 (2021: Broken Access Control, Cryptographic Failures, Injection).

CEH (Hacker Perspective)

  • Question Trap: "Which testing method would an attacker use to find zero-day vulnerabilities?"
  • Answer: DAST (mimics real-world attacks). SAST requires source code access.
  • IAST Advantage: Catches runtime flaws (e.g., insecure deserialization) that SAST/DAST miss.

Quick Check Questions

  1. A developer wants to catch hardcoded API keys in their Python code before committing to Git. Which tool should they use?
  2. A) OWASP ZAP
  3. B) SonarQube
  4. C) Burp Suite
  5. D) Signal Sciences RASP

  6. Answer: B) SonarQube (SAST tool for static code analysis). OWASP ZAP (DAST) and Burp Suite (DAST) test running apps, while RASP protects production.

  7. During a penetration test, an ethical hacker discovers a reflected XSS vulnerability in a staging environment. Which testing method most likely found this?

  8. A) SAST
  9. B) DAST
  10. C) IAST
  11. D) RASP

  12. Answer: B) DAST (tests running apps for input-based flaws like XSS). SAST would flag it in code, but DAST confirms exploitability.

  13. A company deploys a new e-commerce app and wants real-time protection against SQL injection attacks. Which solution is most appropriate?

  14. A) SAST in the CI/CD pipeline
  15. B) DAST scans in staging
  16. C) RASP embedded in the app
  17. D) WAF at the network perimeter
  18. Answer: C) RASP (blocks attacks in real time at the app layer). WAF (D) is network-layer only, while SAST/DAST are pre-production.

Last-Minute Cram Sheet

  1. SAST = Static (code analysis, early SDLC). Tools: SonarQube, Checkmarx.
  2. DAST = Dynamic (running app, black-box). Tools: OWASP ZAP, Burp Suite.
  3. IAST = Interactive (runtime + code, hybrid). Tools: Contrast Security.
  4. RASP = Runtime protection (blocks attacks in real time). Tools: Signal Sciences.
  5. OWASP Top 10 (2021): 1) Broken Access Control, 2) Cryptographic Failures, 3) Injection.
  6. CVSS Score: 0–10 (10 = Critical, e.g., Log4j).
  7. Shift Left: Test early (SAST in CI/CD) to reduce cost.
  8. False Positive = Tool cries wolf (wastes time). False Negative = Tool misses a real flaw (security risk).
  9. WAF vs. RASP: WAF = network layer, RASP = app layer.
  10. Exam Trap: SAST-DAST – SAST finds code flaws, DAST finds runtime flaws. Use both!
 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.