1.静态应用程序安全测试(SAST):
这是一种白盒测试方法,这意味着它们需要访问源代码才能函数。它通过在部署代码之前检查代码来发现所有安全漏洞,包括软件漏洞和弱点,例如SQL注入等。 SAST不需要正在运行的系统即可执行评估。
静态应用程序安全测试(SAST)是一种高度可扩展的安全测试方法。它也可以自动化,这将有助于节省时间和金钱。 SAST测试是在软件开发生命周期(SDLC)的早期进行的,因此很容易及早发现潜在的安全漏洞。
2.动态应用程序安全性测试(DAST):
这是一种黑盒测试方法,这意味着测试是从功能正常的应用程序外部执行的,而不是查看内部源代码或应用程序体系结构。它正在通过检查应用程序来发现各种各样的漏洞。 DAST需要运行的系统来执行评估。
可以通过动态应用程序安全测试(DAST)确定与软件应用程序的操作部署相关联的不同安全漏洞。在DAST中,测试人员执行与攻击者相似的操作,从而帮助找出其他测试技术可能会遗漏的不同安全漏洞。
静态应用程序安全测试(SAST)和动态应用程序安全测试(DAST)之间的区别:
| S.NO. | Static Application Security Testing | Dynamic Application Security Testing |
|---|---|---|
| 1. | SAST is a type of White Box security testing. | DAST is type of Black Box security testing. |
| 2. | In SAST, application is tested from inside out. | In DAST, application is tested from outside in. |
| 3. | This type testing is a developers approach of testing. | This type testing is a hackers approach of testing. |
| 4. | No deployed application is required for Static Application Security Testing. | A running application is required for Dynamic Application Security Testing. |
| 5. | Finding vulnerabilities, identifying and fixing bugs is easier in SAST. | Finding vulnerabilities towards end of SDLC. |
| 6. | Fixing vulnerabilities is possible with little cost assistance. | It finds vulnerabilities towards end of SDLC, hence it is expensive to do so. |
| 7. | SAST can not discover issues related run time and environment. | DAST can discover issues related to run time and environment. |
| 8. | Typically it supports all types of software like web applications, web services, thick client. | Typically it only scans apps like web applications, web services but not other types of software. |
| 9. | In this testing, developer has knowledge about design, application framework and implementation. | In this testing, tester has no knowledge about application, design, frameworks and implementation that application is built on. |
| 10. | SAST tesing requires source code to perform testing operation. | DAST testing does not require source code to perform testing operation. |
| 11. | As it scans static code and performs its testing operation that is why it is called Static Application Security Testing (SAST). | As it scans dynamic code and performs its testing operation that is why it is called Dynamic Application Security Testing (DAST). |
| 12. | This testing is performed in early stages of Software Development Life Cycle (SDLC). | This testing is performed at end of Software Development Life Cycle (SDLC). |
| 13. | In SAST, there is costly long duration dependent on experience of tester. | In DAST, tester is unable to perform comprehensive application analysis since this is carried our externally. |
| 14. | In SAST, tester is able to perform comprehensive application analysis. | DAST can be done faster as compared to other types of testing due to restricted scope. |