Sunday 23 October 2011

What does SAST mean? And where does it come from?

After I posted Why doesn't SAST have better Framework support (for example Spring MVC)? I received the question "What is SAST?" (which is a valid question since a Google search today for SAST returns some hilarious answers)

SAST means Static Analysis Software Testing , and (I believe) it was originally coined by Gartner when they published their Magic Quadrant for Static Application Security Testing report (first version in 2009).

SAST is basically what we usually (in the web world) call Static Analysis of source code (i.e. White Box tools). It cousin is DAST (Dynamic Application Security Testing) and is what we call Pentesting (i.e. BlackBox tools). Google's DAST search results are also funny. Here is a more detailed answer on the difference between SAST and DAST.

As you will seen in Gartner's website, they change for this report, but some companies have bought them and posted/leaked the PDF online (in a way that Google finds it)

Here are couple other blog entries about this:

Back on the topic of Framewoks, Neil MacDonald (from Gartner) is absolutely spot on in this 2009 entry: For Static Application Security Testing, Frameworks Matter 

Btw, I wonder when will the O2 Platform be included in a Gartner Magic Quadrant report?