Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

SAST and DAST: Part of a Balanced Software Security Initiative

Software Security Testing: DAST and SAST

“…is part of this balanced breakfast…”

This is the claim of many sugary cereals aimed directly at children. It is also the claim of many vendors in the software security market.

Software Security Testing: DAST and SAST

“…is part of this balanced breakfast…”

This is the claim of many sugary cereals aimed directly at children. It is also the claim of many vendors in the software security market.

Selling cereal targeting children is an interesting proposition. To make the adults that ultimately have to buy the cereal feel better, the cereal in question is shown as a component of a larger breakfast offering composed of milk, fruit, toast, and some form of juice, with the suggestion that the cereal is part of a “complete” or “balanced” breakfast.

The goal here is to mollify fears that the cereal your child is requesting is the equivalent of crushing cookies and placing them in a bowl. By portraying the cereal as part of a balanced breakfast, the vendor is hoping you buy the intimation the cereal is an equal player in creating a healthy balance. Of course, the reality is that the balance is due largely to the milk, fruit, bread, and juice – the cereal actually brings down the nutritional score of the other assembled parts. Read at face value, the vendor is saying that the cereal on its own does not represent a balanced breakfast.

I use this metaphor because many testing vendors sell you a tool – their tool – as your answer to software security. If you carefully analyze their words, what you will see is that their tool is the bowl of sugary cereal bringing down your nutrition value. Like cereal ads, vendors speak to benefits of the milk, fruits, breads, and juice, but it is not their tool that delivers those benefits.

The truth is that, aside from tools, there are many types of application security testing (AST) that can be used to determine the vulnerabilities in software. Static (SAST) and dynamic (DAST) testing are the most established and widely used, but there are others. An accepted truth is that different types of tests will find different things. Business logic testing adds human security expertise to the process, finding vulnerabilities that automated scans may miss. So real accuracy – the balanced breakfast – is found in a combination of tools and human expertise.

Back to the cereal. A rational adult would immediately recognize that the sugary cereal in the middle is not pulling proportionate weight in the balanced breakfast equation. However, you have a persistent child who really, really wants that cereal. Furthermore, making a balanced breakfast is a tall order on a hectic morning. You also recognize that even if you offered your child the balanced breakfast, they would likely gobble down the cereal and pass on the other parts.

Advertisement. Scroll to continue reading.

So you pour the cereal, checking the box to make sure your child has had at least a part of a complete breakfast. The child appears to function at a high level of energy, so you perceive no risk.

It is the same with those chartered with software security. It is easier to believe the siren’s song of the vendor with the fabulous easy button, one perfect test that finds all of your problems and equips your team to eliminate the risks. One tool that magically applies to every situation. But an effective software security initiative does not pour out of a single box.

Most organizations have far more applications in their portfolio than they can count. The risks associated with those applications vary, so the depth of testing for each will vary. Organizations used to be able to get away with only testing high risk applications, but those days are gone. There are no “one-size-fits-all” solutions, so there is no one product that can solve every problem.

There is an even more profound problem because half of all vulnerabilities are actually found in the architecture and design and are not coding bugs. To find these issues, the organization must employ activities such as architecture analysis and threat modeling.

There’s more. You will also need training to educate the developers how to integrate security into their software development lifecycle (SDLC). You will likely want to put structure around your SSI activities. You will want metrics that show management progress and return on your software security spend.

Like I said: there is no easy button. No neat box to rip open and pour out good software security. Your organization must make the commitment to taking your software security initiative (SSI) – a balanced breakfast – seriously.

An organization must consider multiple testing methods to really manage its risk. When choosing a vendor, consider the breadth of its services. If you decide that you want to use a vendor that has a narrow scope of offerings, you need to resist falling for their sugary cereal story and embrace the notion that the organization will need to interact with more than one vendor to balance the breakfast, which is fine. Having multiple vendors can be a positive thing, and a little healthy competition between your vendors keeps them on their toes, which benefits you.

So where do you go from here? Apply some good, old-fashioned cynicism to the “easy button” claims and recognize that a balanced software security breakfast does have multiple components. But don’t just take my word for it. Information like the Building Security In Maturity Model (BSIMM) is a thorough study of the software security initiatives of 78 companies, so you can see real-world data on what organizations that have committed to a complete breakfast are doing. You will find that their approaches may vary, but the consistent element is that they employ multiple tests and scans.

In other words, pass the fruit, bread, and juice, please.

Related Reading: Better Health, Better Habits: Improving Your Security Diets

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...