CSSLP SECURE SOFTWARE LIFECYCLE PROFESSIONAL ALL-IN-ONE EXAM GUIDE, Third Edition, 3rd Edition by Wm. Arthur Conklin & Daniel Paul Shoemaker

Author:Wm. Arthur Conklin & Daniel Paul Shoemaker [Wm. Arthur Conklin]
Language: eng
Format: epub, mobi
Publisher: McGraw-Hill
Published: 2022-02-04T00:00:00+00:00

Dynamic Application Security Testing

Dynamic application security testing (DAST), or dynamic analysis, is performed while the software is executed, on either a target or emulated system. The system is fed specific test inputs designed to produce specific forms of behaviors. Dynamic analysis can be particularly important on systems such as embedded systems, where a high degree of operational autonomy is expected. As a case in point, the failure to perform adequate testing of software on the Ariane rocket program led to the loss of an Ariane V booster during takeoff. Subsequent analysis showed that if proper testing had been performed, the error conditions could have been detected and corrected without the loss of the flight vehicle.

Dynamic analysis requires specialized automation to perform specific testing. There are dynamic test suites designed to monitor operations for programs that have high degrees of parallel functions. There are thread-checking routines to ensure multicore processors and software are managing threads correctly. There are programs designed to detect race conditions and memory addressing errors.

Dynamic application security testing analyzes the code by executing the application, and this leads to several distinct advantages over static testing:

• Dynamic analysis can be less expensive and less complex to implement when compared to static testing.

• Because it operates with full application knowledge, it leads to less false positives.

• It can support a variety of languages in an integrated development environment as it is operating on functioning code, not reading the code base.

• Dynamic analysis allows the identification of runtime issues, such as race conditions as well as conditions that result from the interaction with the system environment, such as authentication and authorization issues.

Like static analysis, dynamic analysis is not a complete solution and suffers from some limitations such as the following:

• Dynamic tools have no access to company or internal coding standards and implementation of them, thus missing elements such as forbidden functions.

• Dynamic tools can have difficulty pinpointing the exact location of an error, as function stacks and reference calls can obscure the actual code issue location.

• Dynamic analysis relies upon functioning code, forcing its use later into the development cycle and postponing error remediation to later stages.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.