What you have in the screenshot above is a PoC of showing AltoroJ's findings from IBM Rational AppScan Source (a SAST/WhiteBox tool) inside the equivalent findings from AppScan Standard (a DAST/BlackBox tool).
The core idea is that we should be presenting and integrating the information that we are able to create from the multiple tools we use (+ human knowledge) into the tools that the user is more comfortable with.
So in this case we have an DAST user (typical pentester) being able to leverage the analysis created by a SAST (Static Analysis) tool.
It is also a much better way to show and present these findings to developers, since we can immediately talk about how to remediable the code.
Another massive benefit from performing security reviews this way is that it really highlights the best (and worse) of both tools (i.e. what SAST finds and DAST misses, and what DAST finds and SAST misses)
Ultimately both SAST and DAST results must match :)
If you want to see how that PoC was created inside AppScan Standard, take a look at these two blog posts:
- Showing IBM Rational AppScan Source Findings inside AppScan Standard (1st PoC)
- O2 Scripting Samples: Automating Rational AppScan Standard GUI and adding AppScan Standard Findings
