Tech With Htunn
  • Blog Content
  • DevSecOps
    • understanding devsecops
    • shift left in devsecops
    • what is the different between SAST and DAST in devsecops?
    • what is software composition analysis (SCA)?
    • what is Software Bill of Materials (SBOM)?
    • dependency scanning in devsecops
    • what is continuous integration in devops?
    • what is continuous delivery and deployment in devops?
    • understanding containerization
    • container scanning in devsecops
  • Data Engineering
    • what is data engineering?
    • Medallion Architecture in Data Engineering
    • understanding DataOps?
    • Difference between ETL and ELT pipeline in Data Engineering
  • IAM
    • what is Identity and Access Management?
    • understanding microsoft graph api
    • what is SCIM in IAM?
    • Different between sp and idp initiated flow in saml?
    • what is the difference between OAuth-2.0 and OIDC?
    • Understanding PKCE in OAuth-2.0?
    • what is SCIM Streaming?
    • what is the meaning of Identity broker?
  • Cloud Architect
    • what is cloud archiect?
    • Understanding even-driven architecture?
    • what is cloud native architecture?
    • what is cloud native application?
    • Understanding web application firewall?
  • SRE
    • what is SRE?
    • Meaning of toil in SRE?
    • what is error budget in SRE?
    • Difference between SLA, SLO and SLI in SRE
    • Understanding MTTR in SRE?
Powered by GitBook
On this page
  1. DevSecOps

what is the different between SAST and DAST in devsecops?

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are two essential components of a comprehensive security strategy in DevSecOps. They serve different purposes and are used at different stages of the software development lifecycle.

SAST (Static Application Security Testing)

SAST is a white-box testing method that analyzes the source code, bytecode, or binary code of an application without executing it. It aims to identify vulnerabilities such as SQL injection, cross-site scripting (XSS), and buffer overflows early in the development process.

Key Features:

  • Early Detection: SAST can be integrated into the CI/CD pipeline to run automatically whenever code is committed. This allows developers to catch and fix vulnerabilities early.

  • Code Analysis: It examines the codebase for security flaws, ensuring that the code adheres to security best practices.

  • Immediate Feedback: Developers receive instant feedback on potential security issues, which can be addressed before the code is merged into the main branch.

Example Using GitLab:

  1. Integration: Configure GitLab CI/CD to include SAST in the pipeline. This can be done by adding a .gitlab-ci.yml file with the necessary SAST configuration.

  2. Execution: When a developer commits code, GitLab automatically runs SAST to analyze the code for vulnerabilities.

  3. Report: GitLab generates a report highlighting any security issues found, allowing developers to address them promptly.

stages:
  - test

sast:
  stage: test
  script:
    - echo "Running SAST"
  artifacts:
    reports:
      sast: gl-sast-report.json

DAST (Dynamic Application Security Testing)

DAST is a black-box testing method that analyzes a running application to identify vulnerabilities that could be exploited by an attacker. It simulates real-world attacks to find issues such as XSS, SQL injection, and broken authentication.

Key Features:

  • Runtime Analysis: DAST tests the application in its running state, providing a realistic assessment of how it behaves under attack.

  • External Perspective: It simulates an attacker’s approach, identifying vulnerabilities that may not be apparent in the source code.

  • Comprehensive Testing: DAST can uncover issues related to the application’s environment and configuration, which SAST might miss.

Example Using GitLab:

  1. Deployment: Deploy the application to a staging environment where it can be tested without affecting production.

  2. Integration: Configure GitLab CI/CD to include DAST in the pipeline. This can be done by adding a .gitlab-ci.yml file with the necessary DAST configuration.

  3. Execution: GitLab runs DAST against the deployed application, simulating attacks to identify vulnerabilities.

  4. Report: GitLab generates a report detailing any security issues found, allowing the team to address them before the application goes live.

stages:
  - test

dast:
  stage: test
  script:
    - echo "Running DAST"
  artifacts:
    reports:
      dast: gl-dast-report.json
  dast_configuration:
    site_profile: "Staging Site"
    scanner_profile: "Full Scan"

Summary

  • SAST is used early in the development process to analyze the code for vulnerabilities without executing it. It provides immediate feedback to developers, helping them fix issues before the code is merged.

  • DAST is used later in the development process to test the running application for vulnerabilities. It simulates real-world attacks to identify issues that might not be visible in the source code.

By integrating both SAST and DAST into your GitLab CI/CD pipeline, you can ensure a robust security posture, catching different types of vulnerabilities at various stages of the development lifecycle

Previousshift left in devsecopsNextwhat is software composition analysis (SCA)?

Last updated 4 months ago