As part of my work on the implementation of ISO27001:2022, I have had to deal with issues relating to application development and testing, mainly for the security measure in Annex 8.28.

Accept – Photo by Clay Banks on Unsplash

Note that the development is covered by the following measures:

  • 8.25– Secure development life cycle: Testing enables security to be integrated right from the design stage and throughout the development cycle.
  • 8.26– Application security requirements : They validate that the defined security requirements have been met.
  • 8.27– Secure system architecture and engineering principles: Tests evaluate the robustness of architecture choices against common vulnerabilities.
  • 8.28– Secure coding: SAST tests identify security flaws in code before they reach production.
  • 8.29– Security testing in development and acceptance: This measure directly concerns SAST and DAST tests to identify vulnerabilities before and after deployment.
  • 8.30– Outsourced development : Tests guarantee that outsourced developments meet the required security standards.
  • 8.31– Separation of development, test and production environments : They ensure that each environment is properly isolated to prevent data leaks or internal attacks.
  • 8.32– Change management : Security testing is integrated into the change management process to ensure that no new vulnerabilities are introduced.
  • 8.33– Test information: This measure ensures that tests are well documented and that the results are used to improve safety.
  • 8.34– Protection of information systems during audit testing : Tests must be carried out in such a way as not to compromise the availability or integrity of systems in production.

With this article, I’d like to highlight an aspect of application testing that is all too often neglected by organizations. Testing before and after development!

Some consider testing to be costly and unnecessary, whereas it can be automated simply and inexpensively. This significantly improves the security of the application under development, reinforces confidence in it and reassures customers by guaranteeing a safer product.

What’s more, simply testing your application ensures compliance with several ISO27001:2022 controls, including those relating to secure development and vulnerability management.

Comparison

1. Origin and definitions of DAST and SAST

The ***SAST (Static Application Security Testing) ***is a security method that analyzes an application’s source code without executing it.

The aim is to identify potential vulnerabilities in the source code, even before the application goes into production. The idea is to find and correct these vulnerabilities at an early stage in the development cycle.

Conversely DAST (Dynamic Application Security Testing) focuses on applications in operation, i.e. while they are running.

This method tests the application from the attacker’s point of view by simulating attacks on an application deployed in production in order to identify vulnerabilities in external components such as user interfaces, APIs or database communication.

2. Key concepts

SAST

SAST focuses on analyzing source code, libraries and application architecture. By scanning code files, it can detect flaws such as input validation errors, SQL injections, or even leaks of sensitive information in logs.

The main features of SAST include :

  • Source code or binary code analysis.
  • Detecting vulnerabilities right from the development phase.
  • The ability to be used by developers throughout the development cycle.

DAST

DAST, on the other hand, is more focused on the behavior of the application once it’s up and running. It seeks to test the application in a production or pre-production environment to find flaws that could be exploited by external attacks. DAST is therefore very useful for assessing the effectiveness of the protections put in place in the application and checking that it does not have any vulnerabilities that could be exploited by attackers.

The main features of DAST include :

  • Real-time analysis of a running application.
  • Simulation of attacks using automated penetration testing tools.
  • Identify vulnerabilities such as SQL injections, XSS attacks or authentication weaknesses.

3. Why use DAST and SAST?

Both SAST and DAST offer advantages when it comes to strengthening application security.

SAST enables vulnerabilities to be detected early in the development process, reducing the cost of fixing them and improving code quality. By detecting errors early on, developers can avoid leaving potential flaws in the final product.

DAST, on the other hand, is used to simulate attacks in a real-world environment, enabling us to verify the effectiveness of the security measures we have put in place, and to identify vulnerabilities that can be exploited once the application is online. It helps identify risks that cannot be captured by simply analyzing the source code, such as interface and API vulnerabilities.

4. How to integrate DAST and SAST

Integrating DAST and SAST into a company requires a few practical considerations, particularly in terms of available resources and skills. Here are a few recommendations:

  • Implementing a safety culture in development : In a medium-sized company, it’s crucial that security is integrated right from the development phase. Developers need to be trained to use SAST tools to detect vulnerabilities before they go into production.
  • Automating the testing process: To maximize the effectiveness of security testing, we recommend automating the SAST and DAST processes in CI/CD (continuous integration and continuous deployment) pipelines. This enables vulnerabilities to be detected automatically as soon as the code is integrated.
  • Using affordable solutions: For small businesses, there are affordable and inexpensive security tools that can be integrated into software development. It’s important to choose solutions that can be adapted to the company’s specific needs, and that don’t require specialized expertise.

5. SAST and DAST tools

Here are some popular tools for each type of test:

SAST tools :

  • Checkmarx: A popular SAST tool that analyzes source code and helps with early detection of vulnerabilities.
  • SonarQube: An open-source platform for static code analysis to detect security flaws.
  • Veracode: A cloud solution that offers both static and dynamic testing, ideal for smaller companies.

DAST tools :

  • OWASP ZAP (Zed Attack Proxy): An open-source tool for automated penetration testing of web applications.
  • Burp Suite: A popular tool for penetration testing and security analysis of web applications.
  • Acunetix: A solution that scans websites for common vulnerabilities such as SQL injection and XSS.

SAST and DAST are two approaches to securing application development. While SAST focuses on source code in the early stages of development, DAST enables applications to be tested once deployed. Integrating these tools into a medium-sized or small enterprise requires careful planning, test automation and the use of appropriate tools.

Companies wishing to improve their security posture should consider a combination of SAST and DAST, while training their teams in the continuous integration of these tests. Regular vulnerability assessment remains essential to ensure secure development that complies with cybersecurity standards.

I invite you to click on “Follow” to continue learning more about the field of information security.