The document discusses different types of application security testing: SAST analyzes source code to find vulnerabilities but may miss runtime issues, DAST tests running applications to find runtime vulnerabilities but may not pinpoint the code, IAST uses an agent to analyze an application as it runs to provide more insight than DAST alone, and RASP runs on applications to detect and prevent attacks on known or unknown vulnerabilities during production.

1. Fortify 300 Overview

2.  SAST
 DAST
 IAST
 RASP
2
Agenda – Application Security Terminology

3. SAST – Static Application Security Testing
 Static Application Security Testing is meant to analyze application source code for security
vulnerabilities.
 One of the benefits of analyzing application source code is that you can find specific lines of
code that pose security vulnerabilities.
 However, one of the things to keep in mind with SAST is that it will not always fully see how the
application reacts when its in runtime, so you might not be able to see vulnerabilities that show
up as the application is actually running.
 Another thing to keep in mind with SAST is you’ll need language support for the specific source
code you’ll be testing. For example, if your application was written in C++, you’ll need to make
sure your testing capability can scan that source code.
3

4. DAST – Dynamic Application Security Testing
 Dynamic Application Security Testing is meant to find security
vulnerabilities in an application while it is running.
 One of the benefits of Dynamic Testing is that you can see how an
application reacts in runtime and see if it has any vulnerabilities that
are susceptible to attack
 However, one of the things to keep in mind is that after finding the
vulnerability with Dynamic Testing, you might not always have a
clear indication of where in the code you would need to fix it.
4

5. IAST – Interactive Application Security Testing
 Interactive Application Security Testing normally places an agent
within an application which would analyze the application as it runs.
 It has the ability to provide more information than Dynamic Testing
alone by helping uncover what is actually happening within the
application as it’s being tested for security vulnerabilities.
5

6. RASP – Runtime Application Self-Protection
 Runtime Application Self-Protection runs on the application itself
and can help detect and prevent attacks on an application.
 RASP can help detect and prevent attacks on vulnerabilities that
might not have previously been found in security testing of an
application. Or even if the vulnerability had been found, but was
unable to get fixed in time, RASP can still help protect an application.
 Important to keep in mind that RASP is not as much a testing
solution as it is a security solution for the application during
production runtime 6