Product Security Glossary

Application Security Testing

What is AST? 

AST stands for Application Security Testing. It involves scanning either a running application or the application source code for security vulnerabilities. At one time, AST was a manual process. Nowadays, there are several types of automated AST processes that can be used at various stages of an applications lifecycle. 

What are the types of AST? 

SAST, or Static Application Security Testing, is a white box approach. In other words, the security testers have the application source code, and use automated scanners to search for security problems in the source code.  This type of scan can’t find problems in the software design, but it can find coding errors that could lead to buffer overflow attacks, SQL Injection attacks, or numerous other types of attacks. This type of AST should be an integral part of the application development process. 

DAST, or Dynamic Application Security Testing, is a black box approach. The security testers don’t have access to the application source code, and instead just scan the running application from an external location. The DAST tools send connection requests with various malicious payloads to the target application, and then analyze the responses to determine if there are any vulnerabilities. 

IAST, or Interactive Application Security Testing, is a combination of SAST and DAST. Instead of running on an external machine as a DAST tool would, an IAST tool would be running on the same server as the application to be scanned.  In addition to examining the runtime behavior of the application, IAST tools can also examine the compiled source code of the application.  This type of AST can detect a wider range of problems than either SAST or DAST alone. 

MAST, or Mobile Application Security Testing, is for mobile devices. It combines aspects of DAST, SAST, and IAST, along with forensic analysis of mobile device data.  This type of AST also checks for mobile-specific security problems, such as jailbreaking and malicious wi-fi networks. 
SCA, or Software Composition Analysis, examines the third-party components that make up an application.  Instead of writing all code from scratch, many developers use code libraries that come from either commercial or open-source sources.  SCA tools can help developers determine if they can trust these third-party components. 

Finally, there’s RASP, which stands for Runtime Application Self-Protection. It’s similar to IAST, in that it runs on the same server as the application that is to be scanned.  In addition to what IAST can do, RASP can also block many types of incoming attacks on the application. 

As you can see, there are various types of AST for different types of devices, and for different situations. AST should be part of your security arsenal for the entire application lifecycle.