1. 静态应用安全测试(SAST):
这是一种白盒测试方法,意味着它们需要访问源代码才能函数。它通过在部署之前检查代码来发现所有安全漏洞,包括软件缺陷和弱点,例如 SQL 注入等。 SAST 不需要运行系统来执行评估。
静态应用程序安全测试 (SAST) 是一种高度可扩展的安全测试方法。它也可以自动化,这将有助于节省时间和金钱。 SAST 测试在软件开发生命周期 (SDLC) 的早期进行,因此很容易更早地发现潜在的安全漏洞。
2. 动态应用安全测试(DAST):
它是一种黑盒测试方法,这意味着测试是从正在运行的应用程序外部执行的,而不是查看内部源代码或应用程序架构。它正在运行以通过检查应用程序来查找广泛的漏洞。 DAST 需要一个运行系统来执行评估。
与软件应用程序的操作部署相关的不同安全漏洞可以通过动态应用程序安全测试 (DAST) 来确定。在 DAST 中,测试人员执行类似于攻击者的操作,因此它有助于找出其他测试技术可能遗漏的不同安全漏洞。
静态应用程序安全测试 (SAST) 和动态应用程序安全测试 (DAST) 的区别:
| S.NO. | Static Application Security Testing | Dynamic Application Security Testing |
|---|---|---|
| 1. | SAST is a type of White Box security testing. | DAST is type of Black Box security testing. |
| 2. | In SAST, application is tested from inside out. | In DAST, application is tested from outside in. |
| 3. | This type testing is a developers approach of testing. | This type testing is a hackers approach of testing. |
| 4. | No deployed application is required for Static Application Security Testing. | A running application is required for Dynamic Application Security Testing. |
| 5. | Finding vulnerabilities, identifying and fixing bugs is easier in SAST. | Finding vulnerabilities towards end of SDLC. |
| 6. | Fixing vulnerabilities is possible with little cost assistance. | It finds vulnerabilities towards end of SDLC, hence it is expensive to do so. |
| 7. | SAST can not discover issues related run time and environment. | DAST can discover issues related to run time and environment. |
| 8. | Typically it supports all types of software like web applications, web services, thick client. | Typically it only scans apps like web applications, web services but not other types of software. |
| 9. | In this testing, developer has knowledge about design, application framework and implementation. | In this testing, tester has no knowledge about application, design, frameworks and implementation that application is built on. |
| 10. | SAST tesing requires source code to perform testing operation. | DAST testing does not require source code to perform testing operation. |
| 11. | As it scans static code and performs its testing operation that is why it is called Static Application Security Testing (SAST). | As it scans dynamic code and performs its testing operation that is why it is called Dynamic Application Security Testing (DAST). |
| 12. | This testing is performed in early stages of Software Development Life Cycle (SDLC). | This testing is performed at end of Software Development Life Cycle (SDLC). |
| 13. | In SAST, there is costly long duration dependent on experience of tester. | In DAST, tester is unable to perform comprehensive application analysis since this is carried our externally. |
| 14. | In SAST, tester is able to perform comprehensive application analysis. | DAST can be done faster as compared to other types of testing due to restricted scope. |