TMCnet Feature Free eNews Subscription
August 28, 2020

The Abridged Guide to Dynamic Application Security Testing (DAST)

By Special Guest
Gilad David Maayan



DAST practices and solutions enable you to test applications during runtime. You can use DAST to identify vulnerabilities in your own applications and in applications you did not develop. Typically, you use DAST for HTML or HTTP interfaces, but you can also apply DAST to SIP and RPC. Read on to learn more about DAST, including how the technology works, pros and cons, best practices, and what is the difference between DAST and SAST.



What Is DAST?

Dynamic application security testing (DAST) is a practice you can use to test applications during runtime. DAST solutions can help you identify vulnerabilities without requiring you to have insider access to application components. This means you can test applications that you have not developed. You can also test your own applications to evaluate how they may be vulnerable to attacks by outsiders.

How Does DAST Work?

DAST is performed after an application is functional, such as the later stages of testing. It can also be performed in production. Typically, it is applied to HTML or HTTP interfaces of applications although you can also apply it to session initiation protocols (SIP) or remote procedure calls (RPC).

During testing, the app is treated like a black box with no access to app architecture or source code. Rather than testing for specific flaws, DAST testing attempts more general attacks, such as SQL injection or cross-site scripting. This is done after you scan your target application with DAST tools to determine exposed inputs or endpoints in the application.

DAST testing is fully automated and can be performed routinely on applications in almost any environment. DevOps teams add DAST into the software development life cycle (SDLC), because it enables them to quickly evaluate applications pre and post-production.

DAST is most effective when combined with other testing practices and tools. Although it can provide insights to how applications function it cannot identify all issues in all environments. Instead, you should combine DAST with penetration testing and static application security testing (SAST) to better identify all issues.

DAST Pros and Cons

When deciding how or when to incorporate DAST into your application security strategy, consider the following pros and cons.

Pros of DAST include:

  • Accuracy—DAST typically produces fewer false positives than SAST, eliminating unnecessary work for security and development teams. Fewer false positives can also reduce the chances of overlooked or dismissed issues due to mistrust of methods used.
  • Adaptability—DAST is adaptable and does not rely on compatibility with specific programming languages to evaluate applications. This means you can use the same tool for multiple applications, frameworks, and abstraction methods.

Cons of DAST include:

  • Blind and asynchronous bugs—DAST alone is not able to detect asynchronous or blind bugs. These are issues that create vulnerabilities in applications but these vulnerabilities are not made apparent by application responses. In these cases, DAST would report a false negative.
  • Non-exposed inputs—you can only use DAST to test exposed inputs. This means that it cannot detect internal vulnerabilities that may be exploited by attackers with knowledge of internal code.

DAST vs SAST

Although both used to test application vulnerabilities through automation, DAST and SAST perform different functions. As mentioned, DAST is used to test applications from the outside, simulating attacks that hackers may perform. This makes it useless in the initial stages of development. On the other hand, you can use DAST with third party applications and those where you do not have code level access to all components.

In contrast, SAST is used to test applications at the code level. It requires you to have source code access and can evaluate application code line by line. For SAST to work, you must have tools that are designed specifically for the language your application is written in.

SAST tools do not require an application to be functional to be useful. Instead, you can use these tools to evaluate individual components and assess code before it is added to your current builds. This means you can use SAST much earlier in the SDLC than DAST. Because of this, SAST may offer greater investment returns as it can help reduce the overall amount of work going into an application.

Additionally, you can integrate SAST into existing development tools, such as integrated development environments (IDEs). This integration enables SAST to provide real-time feedback with exact pointers to issues to developers and helps them correct mistakes immediately. You can use this to improve your overall code quality as developers can learn security best practices as they work.

In contrast, DAST often requires special infrastructures to be created. For example, multiple testing environments simulate all of the runtime cases an application may use. Once testing is done, results are returned to testers and developers, requiring them to determine where the issue is stemming from.

DAST Best Practices

Although implementing DAST can require extra work and costs, it can also help you identify issues that would otherwise be overlooked. Because of this, any mature testing strategy should include DAST solutions. To help you ease the integration of DAST into your strategy, consider these best practices.

Use DAST as early in the SDLC as possible

The earlier you integrate DAST into your SDLC, the greater your returns will be. Early testing in general is ideal because it surfaces issues for your team before those issues can be compounded. This makes it easier to fix issues and reduces the chance that dependent parts of your application need to be reworked after fixes are applied.

Combine DAST with SAST

Ideally, you should combine DAST and SAST strategies. This combination can help ensure that both code and environment issues are caught before your application is put into production. DAST is also useful for confirming that fixes made based on SAST findings are effective and are not creating different vulnerabilities.

Collaborate with DevOps Teams

When implementing DAST, make sure to create a feedback loop back to your DevOps team. In the same way you want other test results to be returned to teams ASAP, you need DAST results returned quickly.

An additional consideration with DAST results is that you need to facilitate communication between operations and development members in your team. Not all issues that DAST returns can be fixed directly with code, therefore, your team members need to collaborate on solutions.

Conclusion

DAST solutions enable you to fully automate testing. DevOps teams implement DAST to check the security of applications during pre-production and production. DAST is adaptable and produces few false positives, but it should not be used as the only testing method. You can use DAST to test only exposed inputs. DAST cannot detect asynchronous bling bugs. To ensure the security of your applications, you should combine DAST with SAST and other testing tools.

--------------------

Author Bio: Ilai Bavati

I'm a technology writer and editor based in Tel Aviv. I cover topics ranging from machine learning and cybersecurity to cloud computing and the Internet of Things. I'm interested in the real-world application of emerging technologies, and I see our increasingly connected reality as both disruptive and potentially life-saving.

LinkedIn (News - Alert): https://www.linkedin.com/in/ilai-bavati-0b1a1418a/


 
» More TMCnet Feature Articles
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Share

LATEST TMCNET ARTICLES

» More TMCnet Feature Articles