📜  SAST和DAST之间的区别

📅  最后修改于: 2021-08-24 04:43:32             🧑  作者: Mango

1.静态应用程序安全测试(SAST):
这是一种白盒测试方法,这意味着它们需要访问源代码才能函数。它通过在部署代码之前检查代码来发现所有安全漏洞,包括软件漏洞和弱点,例如SQL注入等。 SAST不需要正在运行的系统即可执行评估。

静态应用程序安全测试(SAST)是一种高度可扩展的安全测试方法。它也可以自动化,这将有助于节省时间和金钱。 SAST测试是在软件开发生命周期(SDLC)的早期进行的,因此很容易及早发现潜在的安全漏洞。

2.动态应用程序安全性测试(DAST):
这是一种黑盒测试方法,这意味着测试是从功能正常的应用程序外部执行的,而不是查看内部源代码或应用程序体系结构。它正在通过检查应用程序来发现各种各样的漏洞。 DAST需要运行的系统来执行评估。

可以通过动态应用程序安全测试(DAST)确定与软件应用程序的操作部署相关联的不同安全漏洞。在DAST中,测试人员执行与攻击者相似的操作,从而帮助找出其他测试技术可能会遗漏的不同安全漏洞。

静态应用程序安全测试(SAST)和动态应用程序安全测试(DAST)之间的区别:

S.NO. Static Application Security Testing Dynamic Application Security Testing
1. SAST is a type of White Box security testing. DAST is type of Black Box security testing.
2. In SAST, application is tested from inside out. In DAST, application is tested from outside in.
3. This type testing is a developers approach of testing. This type testing is a hackers approach of testing.
4. No deployed application is required for Static Application Security Testing. A running application is required for Dynamic Application Security Testing.
5. Finding vulnerabilities, identifying and fixing bugs is easier in SAST. Finding vulnerabilities towards end of SDLC.
6. Fixing vulnerabilities is possible with little cost assistance. It finds vulnerabilities towards end of SDLC, hence it is expensive to do so.
7. SAST can not discover issues related run time and environment. DAST can discover issues related to run time and environment.
8. Typically it supports all types of software like web applications, web services, thick client. Typically it only scans apps like web applications, web services but not other types of software.
9. In this testing, developer has knowledge about design, application framework and implementation. In this testing, tester has no knowledge about application, design, frameworks and implementation that application is built on.
10. SAST tesing requires source code to perform testing operation. DAST testing does not require source code to perform testing operation.
11. As it scans static code and performs its testing operation that is why it is called Static Application Security Testing (SAST). As it scans dynamic code and performs its testing operation that is why it is called Dynamic Application Security Testing (DAST).
12. This testing is performed in early stages of Software Development Life Cycle (SDLC). This testing is performed at end of Software Development Life Cycle (SDLC).
13. In SAST, there is costly long duration dependent on experience of tester. In DAST, tester is unable to perform comprehensive application analysis since this is carried our externally.
14. In SAST, tester is able to perform comprehensive application analysis. DAST can be done faster as compared to other types of testing due to restricted scope.