DAST and SAST – Dynamic Application Security Testing and Static Application Security Testing respectively - are traditionally associated with web application security. Today’s ever increasing demand for connectivity for embedded devices across the sectors has seen a corresponding requirement for security tools and testing methodologies that are equally appropriate in this environment. Developers of connected cars, medical devices, industrial plant, railways and aircraft alike are facing increasing pressure to get to grips with security vulnerabilities.
In some cases, the exact same testing tools are applicable. For example, web applications and connected embedded devices can be similarly vulnerable to SQL injection. Penetration testing and fuzz testing can expose these and other security vulnerabilities in embedded devices just as surely as they can in web applications. But the shift left paradigm demands more than merely the black box testing of complete, running applications – and functional safety standards demand that security issues with the potential to compromise safety are handled like any other hazard.
The secure software development life cycle (SSDLC) requires that security is designed in. Doing so effectively demands evidence of adherence to security requirements and a rigorous and thorough process to ensure the absence of potential security flaws during design and development. Merely exposing such flaws at the end of that process simply isn’t good enough.
SAST and DAST testing takes many forms, and both SAST and DAST software tools therefore vary accordingly. White box DAST leverages the dynamic analysis techniques that have been proven for decades in environments demanding functional safety – including unit test, structural coverage analysis, robustness testing, and on-target testing to ensure that the combination of hardware platform and software application is sound. In combination with the static analysis associated with SAST, white box DAST provides evidence that security requirements are met right down to function level and shows that there is no surplus code that could potentially be hiding back door methods. Used in combination with SAST, white box DAST security tools are key components in the realisation of the shift left paradigm.