DAST vs SAST | Walkthrough | Infosec
Salutations, security testing is crucial for a well-built application and it will help the application to protect it from cyber evildoers.
So there are plenty of ways to test the application with respect to application security and two of the most famous way of doing is the topic of this blog today.
Let's know these two.
Before that, be clear that applications are built from the code ie computer programs and it needs some other specific tools/application to run that created code like a webserver
To understand this let me put it this way, the application code resting in your directory ie resting ie static state, and another type is an application running state ie dynamic.
So, performing the security testing to the application which is on the resting state or static state is known as SAST aka Static Application Security Testing and in contrast, performing the security testing to the application which is in running state, like a web application hosted on a web server so this is known as DAST aka Dynamic Application Security Testing.
Hope you get some idea about these two.
So let's see, how these things are being done. I will just show you some of the basic and free tools available for performing these two kinds of testing.
Well, ill just straight away show you some of the screenshots of the tool, so that you can get a clear picture of how things were in real
So in the below screenshot, I have shown you a command to run the SAST tool on the source code directory. here you might have figured out that the tool I have used bandit which is the SAST tool for the python based application, here I have a python repository on the present directory so I have used a ‘ . ’ dot to represent it and the other arguments saying how to store the output and in which format.
And to demonstrate the DAST tool, am using the Nikto here And in the below screenshot, you can see we have run the test on the well-known vulnerable site demo.testfire.net and you can see the results of the test in the following lines in the screenshot.
This is just a basic introduction about the difference between the two security testing kinds and I hope that this blog will give some understanding for you.
Do comment your thoughts below.
Thanks for reading.
