Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) are traditionally associated with web applications. Today’s safety- and security-critical applications need to embrace not only an ever increasing demand for connectivity for embedded devices, but also the cost-cutting adoption of open source software. There is a corresponding requirement for security tools and testing methodologies that are equally appropriate in this environment. Developers of connected cars, medical devices, industrial plant, railways and aircraft alike are facing increasing pressure to get to grips with security vulnerabilities.
In some cases, the exact same testing tools are applicable. For example, web applications and connected embedded devices can be similarly vulnerable to aggressors attacking the application, perhaps using SQL injection or cross site scripting. Penetration testing and fuzz testing can expose these and other security vulnerabilities in embedded devices just as surely as they can in web applications. But the shift left paradigm demands more than merely the black box testing of complete, running applications – and functional safety standards demand that security issues with the potential to compromise safety are handled like any other hazard.
The secure software development life cycle (SSDLC) requires that security is designed in, perhaps as part of a CI/CD pipeline. Doing so effectively demands evidence of adherence to security requirements and a rigorous and thorough process to ensure the absence of potential security flaws during design and development. By merely attempting to find vulnerabilities at the end of that process, the likelihood is that fewer issues will be found leaving the resulting application vulnerable.
SAST and DAST testing takes many forms, and both SAST and DAST tools therefore vary accordingly. White box DAST leverages the dynamic analysis techniques that have been proven for decades in environments demanding functional safety – including unit test, structural coverage analysis, robustness testing, and on-target testing to ensure that the combination of hardware platform and software application source code is sound. It provides evidence that security requirements are met right down to function level and shows that there is no surplus code (perhaps deliberately planted, or resulting from configuration mistakes) that could potentially be hiding back door methods. Traditional black box test DAST scans applying such as fuzz and penetration testing have a role to play in showing that the designed-in security measures are effective. Used in combination with SAST, white and black box DAST security tools are key components in the realisation of the shift left paradigm.