dynamic application security testing (DAST)

How does DAST work?

DAST occurs once the application has advanced past its earlier life stages and has entered into production or runtime. Most DAST tools only test the exposed HTTP and HTML interfaces of web-enabled apps, but some are specifically designed for non-web protocols and data malformation -- like remote procedure calls (RPC) and session initiation protocols (SIP).

DAST is a black box test, meaning it is performed from the outside of the application, without a view into the internal source code or app architecture. As a result, the test identifies vulnerabilities by using the same techniques a hacker would and performing attacks on the software. A DAST will employ a fault injection technique, like inputting malware into the software, to uncover threats such as cross-site scripting (XSS) or SQL injection (SQLi).

DAST tools will continuously scan apps during and after development. The DAST scanners crawl through a web app before scanning it. This first step allows the DAST tool to find every exposed input on pages within the app and then test each one.

The tests that are done after the app has been executed are fully automated and allow businesses to immediately identify and resolve any risks before they become serious attacks. Once a vulnerability is discovered, a DAST solution will send an automated alert to the appropriate team of developers so they can remediate it.

There are three ways to use DAST:

• testing early and often in the software development life cycle (SDLC);
• in collaboration with DevOps -- DAST identifies the problem and DevOps fixes it;
• and in conjunction with other tests as part of a comprehensive approach to web security

DAST works best as part of a comprehensive approach to web application security testing. While DAST gives security teams timely insight into the way web applications behave in production, companies often deploy additional forms of security testing, such as application penetration testing and static application security testing (SAST), along with DAST.

Application penetration testing offers a real-world demonstration of how an attacker might break into a specific web app and SAST enables developers to find vulnerabilities in the application source code earlier in the SDLC.

Benefits of DAST

The major benefit of DAST tools is the ability for businesses to better understand how their web apps behave and identify threats early on in the SDLC. This enables businesses to save time and money by removing weaknesses and stopping malicious attacks before they happen.

When a hacker successfully launches a web application attack, it may go undiscovered by the security team for stretch of time. While hidden, the attacker can inflict as much damage as they want while gaining access to sensitive corporate information and customer data. DAST makes it more likely that these hackers will be found by scanning the app while it's running. DAST can also analyze problems in runtime that are unable to be identified by static analysis, such as authentication, server configuration issues and flaws that are only visible when a known user logs in.

Furthermore, DAST tools are independent of technology and interact with applications from the outside, relying on HTTP and HTML interfaces. This allows DAST tools to work with any programming language and framework. It also puts the DAST scanner in an ideal place to identify potential configuration issues within the app.

DAST is also beneficial for industry-standard compliance. It can streamline PCI DSS compliance and other types of regulatory reporting.

DAST vulnerabilities

DAST tools work best with the Waterfall model but can be inadequate with other, more progressive software development methods due to processing restrictions.

DAST tools can create false positives. A false positive refers to the outcome of a test that wrongly indicates a vulnerability, presenting the threat as a reality when it is not. While the tool is correct to report them because it could be a real threat in some scenarios, it takes experienced code analysts to identify whether or not the risk applies to their situation. Therefore, false positives can degrade the reliability and usefulness of the DAST tool.

Another limitation of DAST is that it only analyzes requests and responses, leaving other hidden vulnerabilities, such as design issues, undetected. DAST tools also cannot be used with source code or uncompliant application code. This restriction delays security action until a later point in the SDLC.

Identifying security risks after an app is up and running also creates vulnerabilities for DAST. In this situation, the programming team responsible for the code must return and re-familiarize themselves with the code before they are able to fix it; a time consuming process.

DAST vs. SAST

As mentioned before, DAST is frequently used with SAST because the two tests cover different areas in comprehensive testing and can create a fuller security evaluation when used together. DAST is a black box security testing method and performs its analysis from the outside while SAST is a white box method that examines the app from the inside.

SAST does not find runtime errors like DAST does and DAST cannot flag specific coding errors, down to the code line number, like SAST can. DAST involves operational testing while SAST looks at source code and speculates where security risks might be or spots design and construction flaws that might present a potential vulnerability.

SAST tools are able to pinpoint exactly where in the code a vulnerability can be found, something DAST tools are unable to do. However, while SAST is efficient at finding an error in a line of code, it cannot easily find flaws in data flow. Furthermore, SAST is more likely to produce false positive results, making it less reliable than DAST tools.

Importance of DAST

As use of applications to optimize websites increases, the risk of a cybercrime rises as well. Web application security must become a priority in the early stages of the SDLC. Businesses are using DAST in response to the growing rate of cybercrime. The runtime tests performed by DAST tools can catch threats or vulnerabilities that are sometime only visible after an app is active, successfully shielding the app against external attacks.