9 top SAST and DAST tools

These static application security testing and dynamic application security testing tools can help developers spot code errors and vulnerabilities quicker.

software development / application testing / tools in hand amid abstract code mapping
Sorayut / MF3D / Getty Images

Deploying a secure application has become just as important to most organizations as whatever core function the app will be conducting. An application that works fine but exposes an organization to a potential exploit is just as much a failure as an app that doesn’t function properly.

Back when the world moved at a slower pace, applications would be coded by developers. These applications would then be placed into a production environment by an operations team that was also typically in charge of security. If the operations team found a security flaw or vulnerability, the app would be sent back to the developers to fix. This was a time-consuming process that exposed organizations to a lot of risk by deploying vulnerable programs into their production environment.

The DevOps movement was spawned from this chaos, where developers and operations teams started working together to fix vulnerabilities before apps were deployed. Even then, there was not enough of an emphasis on cybersecurity. The development process for apps needed a dedicated security team that was separate from operations but able to work hand in hand with them as well as the developers.

This new focus on security is so popular today that most DevOps efforts have evolved into DevSecOps programs where development, security and operations work together to create and deploy secure apps.

In this new world of heightened threat awareness, developers are charged with baking security into applications as they create them. Sometimes called “security as code,” this approach can be highly effective by patching and fixing vulnerabilities before an app is deployed. Security as code requires special tools that can uncover hidden problems and vulnerabilities with both uncompiled and completed code.

What are SAST and DAST tools?

Both static application security testing (SAST) tools and their close cousin, dynamic application security testing (DAST) tools, help find security flaws hidden inside code, often before they get to a production environment. Depending on the platform, SAST and DAST tools can look at either source code or code that has already been compiled. Some tools even operate automatically while a developer is working, pointing out flaws in their code the way a spellchecker app flags errors within word processing documents.

While SAST and DAST tools are similar, they tend to look at different aspects of developing code for vulnerabilities. SAST tools are mostly designed to analyze source code that is uncompiled. They do a good job of detecting well-known vulnerabilities such as weak cryptography, SQL injection openings, and buffer overflows. If a SAST tool uses an integrated development environment (IDE), it can even warn coders about mistakes as they are being made, letting them fix problems instantly.

DAST tools, by contrast, mostly work with code that has been complied, but which has not yet been deployed in a production environment. For the most part, DAST tools test completed apps from the outside like a user would, looking at all the exposed HTTP and HTML interfaces. Some also specialize in the vulnerability analysis of specific app functions like remote procedure calls.

While it’s possible for organizations to exclusively use either a DAST or a SAST tool, those that employ both will be able to cover the entire development process. The following are some of the top SAST and DAST tools used by organizations to protect the creation of their applications.

Security Compass SD Elements

The SAST toolset SD Elements runs the gamut between a SAST and a DAST tool, with a lot of additional features added in beyond simple vulnerability scanning. In fact, SD Elements is backed by a comprehensive knowledgebase that has been built up by security researchers at the company with elements from other trusted sources like the Center of Internet Security (CIS). SD Elements can find vulnerabilities in code and applications and suggests the easiest possible fix from that extensive database.

When first deployed, SD Elements looks at the unique environment where the tool will be running. This includes information about the language, platforms, features, relevant compliance rules and tools being used. Armed with this information, it can determine what vulnerabilities exist in an application. Again using its extensive knowledgebase, it then classifies those problems based on the inherent risk they pose.

SD Elements can be used in a variety of ways. For example, the simplest solution to a vulnerability problem can be offered to developers. SD Elements can also automate that process by doing things like changing the default credentials of an app. The tool can even sync with ticketing systems like JIRA or ServiceNow to ensure that fixes are completed within whatever timeframe is set by administrators.

Once complete, everything is validated to ensure that fixes have been properly completed, and that no new vulnerabilities have popped up as a result. SD Elements can integrate with most common scanning tools for this step such as IBM AppScan, Veracode, WhiteHat and others. Finally, SD Elements provides detailed reports about fixed vulnerabilities that are suitable for most security audits or to show improvement and increased security over time.

Secure Code Warrior

The Secure Code Warrior approach is deeply grounded in education and helping developers to become more secure coders over time. The company philosophy is that simply deploying a SAST-like tool should be one small element in an overall approach at helping developers evolve into proficient, secure coders. As such, while the company employs an analysis tool as part of their overall package, it’s just one part of an overall training suite designed to fix code, enforce secure coding rules and educate developers at the same time.

The upcoming analysis component for Secure Code Warrior platform acts like a spellchecker does for word processor documents, finding errors as they are created and prompting developers to immediately fix them. It’s not technically, or at least does not act like, a typical SAST tool.

The Secure Code Warrior platform can accomplish a few critical things that a normal SAST app can’t, including highlighting bad code that does not fall in line with company-specific guidelines regardless of whether it’s actually secure or not. So, it doesn’t look for common vulnerabilities. It instead flags whenever a programmer has deviated from a coding guideline that has been specially adopted by the organization deploying the platform. This approach all but eliminates false positives, since detected errors will be violating specific rules. There are no fuzzy grey areas with Secure Code Warrior.

Of course, the real strength for any development team is being empowered with the knowledge to code securely in the first place, so vulnerabilities are addressed at the very beginning of the development cycle. Secure Code Warrior directs developers to its gamified training regimen, available in many different languages and frameworks so they can learn to find, fix and eliminate vulnerabilities in real-world code challenges.

Pricing for Secure Code Warrior starts at $400 per user. Over time, developers using Secure Code Warrior should become better coders, while being prevented from making dangerous mistakes in the meantime.

Micro Focus Fortify Software Security Center

The Fortify Software Security Center from Micro Focus is designed to bring security and development teams together under a unified platform. The tool reports to a dashboard that shows application vulnerabilities and code flaws and keeps track of them over time. This supports collaboration between security and coding teams since everyone is working from the same set of easily readable dashboards.

Speed and automation are also a focus of the Fortify Software Security Center. Machine learning is used to automate all validation functions. Whenever an issue with an app is resolved, Fortify will check the fix to ensure that the vulnerability has really been removed and that no new issues have popped up in its place. It uses the results of previous audits as well as an extensive knowledgebase to perform this automatic double-checking of all potential fixes.

Fortify is also designed to be flexible so that it can integrate with whatever tools or software the development teams are already using. This includes build tools, code repositories, bug tracking, and ticketing systems. It can also integrate with other software through an IDE interface or by using an extensible API.

It’s often said that security and development teams speak different languages. The easy-to-use dashboards and automation functions of the Fortify Security Center can act as a universal translator so that everyone can finally work together to create more secure applications.

Rapid7 InsightAppSec and AppSpider

Rapid7 offers two top DAST tools for eliminating vulnerabilities and helping to bring apps into security compliance. The first, InsightAppSec, is designed to be up and running in as little as five minutes. It works remotely by scanning applications that are already publicly accessible so that no local installation is needed. There is an optional component that allows for scanning on closed networks, so organizations that have private, non-production environments can still use InsightAppSec for application analysis.

Configuring InsightAppSec is easy and is designed for use without having to first wade through a lot of documentation. Several attack templates are available that can be activated by checking a few boxes. InsightAppSec can provide simple pass or fail scores for compliance regulations like PCI-DSS, HIPAA, SOX and the OWASP Top Ten. Organizations that need to quickly find out if their applications are exposed by specific vulnerabilities can get those answers faster with InsightAppSec than with almost any other DAST tool.

The second tool from Rapid7 is called AppSpider. Also a DAST tool, AppSpider is designed to dive deeply into individual applications to find every security flaw and vulnerability hidden inside the code. It’s also automated so that it can run each time an app build is completed, which makes it almost straddle the line of becoming a SAST tool. However, AppSpider is still technically looking at the code from an outside perspective, so it should generate fewer false positives than most SAST apps. Rapid7 has also streamlined the reports that AppSpider generates, and it provides the most critical information needed for developers to make important fixes.

Pricing starts at $2,000 per app and gets less expensive with the more apps you test.

HCL AppScan

Formerly called IBM Security AppScan Standard, the tool became property of HCL Software in July 2019. It has been renamed HCL AppScan. A core feature that sets HCL AppScan apart from other DAST and SAST tools is how it has been optimized for speed. It can scan over a million lines of code per hour.

It has been further optimized by its new owners and modified into multiple offerings, with each one streamlined to match its intended specialty. For example, AppScan Enterprise is scalable and provides management dashboards to help classify and prioritize application assets based on their potential business impact. AppScan Source is purely a SAST tool capable of looking at uncompiled code and moving fixes back in the development cycle where they are far less costly. AppScan on Cloud moves most of the testing applications to the cloud, enabling organizations to perform both SAST and DAST testing without the need for local computing resources.

The AppScan toolset was already one of the most comprehensive when developed by IBM. Since acquiring the product, HCL Software is further refining it to make it even more useful for organizations to find and fix application vulnerabilities at the rapid pace required by today’s DevOps and DevSecOps programs.

Acunetix Vulnerability Scanner

The Acunetix Vulnerability Scanner is designed to be one of the most accurate detection tools on the market. It can identify over 4,500 common vulnerabilities with a claimed low false positive rate. It even specializes in WordPress, one of the most popular frameworks for modern web pages. It can detect 1,200 core WordPress vulnerabilities as well as security holes in themes and plugins.

In addition to WordPress vulnerabilities and common security problems, the Acunetix Scanner can also examine both custom-built applications and those made with open-source software components. It is also able to crawl websites using its proprietary DeepScan technology, finding flaws in places that stymie other programs. Acunetix can find vulnerabilities hidden in single page applications developed in HTML5, JavaScript errors and flaws with RESTful APIs.

All the information about vulnerabilities uncovered by the Acunetix Vulnerability Scanner are shared through a graphical dashboard that breaks down problems by severity. It tracks those errors as fixes are made to ensure that no new vulnerabilities creep back into the production environment.

Checkmarx CxSAST

The Checkmarx CxSAST tool can scan all types of uncompiled code, so there is no need to wait for a complete build before deploying it. CxSAST supports a broad variety of programming languages and frameworks from modern languages such as GO and Scala to legacy ones such as C and C++. In fact, there are no dependency configurations, so switching between programming languages requires no additional setup. Those deploying Checkmarx CxSAST don’t even have to know a lot about the language being scanned because the program is smart enough to configure itself to the environment and code.

In addition to a seamless deployment, Checkmarx SAST can also integrate with all IDEs, build management servers, source repositories and third-party bug tracking tools. It can interface with all those assets in order to detect and enforce any security policy.

It’s not just the scanning that is streamlined with Checkmarx. The SAST tool also helps to automate fixes by employing a unique “best fix location” algorithm. Not only will Checkmarx SAST suggest the best fix, it will determine exactly where in the code the fix will be the most efficient.

While Checkmarx declined to give pricing information, it did note that CxSAST, like most of their products, is subscription-based, licensed and priced by either the number of users or projects.


One of the biggest problems with both SAST and DAST tools are false positives. Every time a tool directs a developer to chase after a vulnerability that doesn’t need fixing, or which has no impact on an organization, it wastes time and pulls resources away from real problems. That is why Netsparker was designed to provide a DAST tool that claims to generate almost no false positives.

Netsparker calls this technology Proof-Based Scanning. What that means is that once the scanner detects a potential vulnerability, it initiates more testing to confirm those results. Only after being fully verified by the Netsparker tool is the vulnerability reported.

The Netsparker technology was recently put to the test in a head to head comparison by a third-party testing laboratory. Netsparker was able to find several hundred SQL injection, local file inclusion, unvalidated redirects, old backups, remote file inclusion and reflected XSS vulnerabilities in applications running in a complex testbed. Netsparker was one of only two DAST tools to achieve no false positives in that test, with Rapid7’s InsightAppSec being the other – though InsightAppSec did not detect as many vulnerabilities.

Copyright © 2019 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline