3

Given the fact that I have a WAF already deployed, what is the benefit I could get by purchasing a SAST tool that would scan the engineers' code for security flaws?

Does this also apply for SCA tools where they can alert in case of using a vulnerable/malicious dependency or library? Can WAFs also protect from that?

schroeder
  • 123,438
  • 55
  • 284
  • 319
elli
  • 329
  • 2
  • 10
  • 5
    *Given that I already have a safety belt, why should I also have a regular technical inspection of the car?* - WAF and SAST complement each other. And a WAF might detect some vulnerably JavaScript library you serve but it will not detect vulnerable libraries you use in your back end. – Steffen Ullrich Jul 25 '19 at 11:04
  • 2
    @elenaa your title says one or the other, but the wording in your question body suggests an added benefit. Which are you asking about? – schroeder Jul 25 '19 at 13:24
  • Thank you both for your answers. Shall I update the title then? – elli Jul 29 '19 at 09:45

2 Answers2

7

WAF (Web application firewall) is meant to protect an already deployed application independently of the underlying application.

SAST (Static Application Security Testing) is meant to scan your code and find known vulnerabilities based on code.

DAST (Dynamic Application Security Testing) is meant to scan your already deployed application and find known vulnerabilities based on a live running instance.

SCA (Software Composition Analysis) is meant to analyze third party dependencies for known vulnerabilities.

Don't mix them up, there is no WAF vs SAST/DAST. WAF is meant to be application independent, you could potentially have a vulnerable application, but because you have a WAF in front of it, you still are protected.

An ideal devops environment would involve all of the tools mentioned, although, a potential debate here could be DAST vs SAST, but this is out of scope of the question.

Raimonds Liepiņš
  • 994
  • 5
  • 9
4

SAST has several advantages:

  • can be deployed quickly

  • requires little to no maintenance

  • remediations can be done faster

  • minimizes the need for post-release patches and security updates

  • has better overall RoI

  • can also be used for scanning real time systems, mobile applications and software present on embedded devices

  • false positives don't affect you

So if you can go SAST, you should certainly do it.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • How about already cloud deployed WAF?? Maintenance does not burden us. – elli Jul 25 '19 at 11:09
  • 2
    Maintenance is dependent on a lot of factors, if your it's low, it's a happy case. A good WAF implementation needs dedicated staff to continuously tweak and configure it; additional personnel is needed to sort out FPs and properly send them to the devs, which devs in turn may or may not be familiar with the app's source code. – Overmind Jul 25 '19 at 11:27
  • Thank you for your response. – elli Jul 29 '19 at 09:46