Types of DAST
Post 5 - The Others
I have had thoughts about Static Analysis and Infrastructure Scanning, though I haven't had time to formally think them through and write out my thought process. I'll look to revisit these two topics in the future. This is the end of my DAST series for now. If I revisit SAST and IPMS, I’ll be sure to start a new series for them.
For now, here are some quick notes that may be useful to spark your interest, or lead you down the right path of what questions to start asking. At the least, you might learn some buzz words.
Static Application Security Testing (SAST)
Binary Analysis: Given a binary or code deployment, tools need to tear the binary apart, decompile, reverse engineer, etc
Source Code Analysis: Given raw source code, at various amounts of completeness, perform static code analysis to trace source-sink data paths, identify good/poor coding practices, malicious code detection, may include third party code composition,
Continuous Integration Scanning: This will be a trigger-point for BA or SCA included as part of the standard and automated build cycle for a development team.
Infrastructure/Patch Management Scanning
Infrastructure scanning, to me, is the activity of fingerprinting services that are hosted and running on all devices on the network (servers, VMs, laptops, thermostats, video conference devices, physical access badge systems, etc) to identify vulnerable configurations or software versions (including firmware and operating systems) that need to be patched.













