Application Security Testing

Application Security Testing (AST) is a comprehensive process of identifying the security loopholes and shortcomings of an application that it may encounter in regular functioning or may be exploited by a hacker.

AST was carried out in a manual way from its inception. However, with the increasing complexities of applications and a variety of functions being integrated, manual testing is extremely time-consuming. With AST now fully automated, most organizations use a combination of several application security tools.

There are 5 different stages to Application Development through which different types of ASTs must be carried out regularly to keep mobile app security in check.

  • Development
  • Integration
  • Acceptance Stage
  • Pre-Production Stage
  • Production Stage

The very basic methods of AST are:

Static Application Security Testing (SAST)


Dynamic Application Security Testing (DAST)


Interactive Application Security Testing (IAST)


It takes advantage of having access to the code of the application. It goes through the application static source code for security defects or different issues are written into the source code programmed to identify vulnerabilities that have the potential to be exploited. It does not look at the running application. It follows what is called a white-box testing tool.


It is a set of tools that looks at applications on the front end. They look at a running application, and go through pages of the application search for potential security vulnerabilities or architectural weaknesses. It does not look at the source code of the application. A lot of the things that they identify are in the OAuth top ten risks like SQL Injection, cross-site scripting, etc. It follows what is called a black-box testing tool.


IAST is the evolved version of SAST and DAST. It combines the two methods of security testing to detect a wider range of weaknesses. IAST runs dynamically to inspect software in runtime. IAST is run from within the application server which allows them to look at the application source code too like SAST tools.