Gartner Group used the following definitions when evaluating vendors in the Application Security Testing sector in their August 2015 report:
Static AST (SAST) technology analyzes an application's source, bytecode or binary code for security vulnerabilities typically at the programming and/or testing software life cycle (SLC) phases (see "Hype Cycle for Application Security, 2015").
Dynamic AST (DAST) technology analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically Web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.
Interactive AST (IAST) technology combines elements of SAST and DAST simultaneously. It is typically implemented as an agent within the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes attacks and identifies vulnerabilities.
Mobile AST uses a combination of traditional SAST and DAST and behavioral analysis using static and dynamic techniques to discover malicious or potentially risky actions the app may be taking unbeknown to the user (for example, activating the user's address book or GPS).
The technology approaches can be delivered as a tool or as a subscription service. Many of the larger vendors offer both options to reflect enterprise requirements for both a product and service. Collectively, AST is adopted by the majority of enterprises, but the various technologies differ in adoption and maturity. DAST, followed by SAST, is the most widely adopted, while IAST and mobile AST have only recently emerged. This Magic Quadrant focuses on a vendor's maturity in offering SAST and DAST features as tools or as security as a service, and has weighted more heavily vendors' innovation in AST for mobile applications, IAST and emerging runtime application security protection (RASP) capabilities.So who are the winners and loosers? Send your comments to the Cloud and Cyber Security Center.
Static AST (SAST) technology analyzes an application's source, bytecode or binary code for security vulnerabilities typically at the programming and/or testing software life cycle (SLC) phases (see "Hype Cycle for Application Security, 2015").
Dynamic AST (DAST) technology analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically Web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.
Interactive AST (IAST) technology combines elements of SAST and DAST simultaneously. It is typically implemented as an agent within the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes attacks and identifies vulnerabilities.
Mobile AST uses a combination of traditional SAST and DAST and behavioral analysis using static and dynamic techniques to discover malicious or potentially risky actions the app may be taking unbeknown to the user (for example, activating the user's address book or GPS).
The technology approaches can be delivered as a tool or as a subscription service. Many of the larger vendors offer both options to reflect enterprise requirements for both a product and service. Collectively, AST is adopted by the majority of enterprises, but the various technologies differ in adoption and maturity. DAST, followed by SAST, is the most widely adopted, while IAST and mobile AST have only recently emerged. This Magic Quadrant focuses on a vendor's maturity in offering SAST and DAST features as tools or as security as a service, and has weighted more heavily vendors' innovation in AST for mobile applications, IAST and emerging runtime application security protection (RASP) capabilities.So who are the winners and loosers? Send your comments to the Cloud and Cyber Security Center.
good info shared on the gartner group that innvtaed in AST for mobile application. Short definition provided on the Mobile AST, IAST, Dynamic AST as well as on Dynamic AST.
ReplyDelete