What is Dynamic Application Security Testing (DAST)?

Dynamic Application Security Testing, also known as DAST, is a Black-Box Security Testing Methodology which tests the application from the outside in its running state, differentiating it from SAST which searches for vulnerabilities within the application through its source code.

No alt text provided for this image


In order to run an intensive scan, DAST tools build an application map by inspecting web pages and extracting URLs to shape it. Exceptions to this are REST APIs, for which there is a need to provide an API structure definition usually through a Swagger file (using JSON or YAML as standard formats) and possibly having to provide authentication details either with additional scripting or specified in the same file. This also enables other possibilities for automated testing.

After having the targets defined, the active scan phase takes place which, using known techniques, aims to attack the pages recognizing public vulnerabilities. This is recommended to be performed in non-production environments since the active scan leverages malicious scripts and modifies data.

The main benefits of using DAST include finding access control, session management, and authentication issues, distinguishing unsafe third party components and application misconfigurations, and individualizing insufficient input validation allowing code injection in the form of SQL or operating system command remote execution and other techniques like cross-site scripting.

DAST has, however, some pitfalls. On one hand, not all findings are real vulnerabilities which generate a lot of false positives and, on the other hand, it does not include the entire possible spectrum of vulnerabilities. DAST needs to have a deep knowledge of the application and run enough tests to be effective.

Between the tools that can be integrated into the CI/CD Pipeline can be mentioned OWASP ZAP (Open Source), Snyk (Commercial), Mozilla Minion (Open Source), and Veracode Scanner (Commercial).