Dynamic application security testing (DAST) tools have been widely used for more than a decade, but there are still misconceptions about what they can and cannot do. The good news is that modern DAST tools far surpass the capabilities of their legacy forbears, making them an essential part of any modern software development life cycle (SDLC).
What legacy DAST tools can and cannot do
The primary capability of a DAST tool is to perform an automated pen-test of a web application — basically, to test the application’s security by attacking a web application as a hacker would, which checks for defects. That’s still the case, though modern DAST tools go further.
DAST’s legacy tools, which include many of the free and open-source versions, give you tight black-box insight into the workings of a web app. They can only tell you what’s going in and what’s going out.
If they discover any vulnerabilities, legacy DAST tools cannot provide any proof that the vulnerabilities are actually exploitable. It’s up to developers using legacy DAST tools to test for potential vulnerabilities, leading to a potentially huge amount of time chasing false positives.
Furthermore, legacy DAST tools are often unavailable until a piece of code approaches the production stage, as most DAST tools can only test stand-alone working binaries. Tests often need to be triggered manually.
With legacy DAST, “you can scan multiple assets to see what you’re doing, but for detailed analysis, you have to rely on manual inspection,” Invicti’s Zbigniew Banach explained in a blog post on 2020.
The capabilities of modern DAST tools
DAST’s innovative tools go far beyond these initial capabilities. They can often provide proof-of-concept exploits for discovered vulnerabilities, saving developers a lot of time that could otherwise be spent chasing false positives. (DAST software maker Invicti calls this “proof-based scanning”.)
Modern tools are less restrictive about where in the software development life cycle they can be deployed and are able to test pieces of code that legacy DAST tools may not have handled. This allows developers to get an early start on finding and solving problems.
“You can scan for vulnerabilities as soon as you have runnable code, which means from the first commit for most modern frameworks and automatically trigger incremental scans as part of the pipeline,” Banach wrote in a blog post in 2022.
These modern tools can also run in the background, continuously testing code during a seemingly endless cycle of update-test-deploy-repeat and letting developers focus on their core duties.
“DAST can run at any time of the day or night, as often as you need,” Banach wrote. “This is important for continuous integration pipelines, where you can’t organize a penetration test for every single build.”
Many modern DAST tools also have additional features that embed them deeper into an SDLC, enabling secure coding throughout the development process. For example, some DAST tools can now scan and discover web assets, even those that developers may have forgotten.
They can also be integrated with bug tracking platforms like Jira or ServiceNow, continuous integration/continuous development (CI/CD) tools like Jenkins or GitLab, and interoffice messaging programs like Slack or Microsoft Teams. Some state-of-the-art DAST tools include various compliance modules to ensure that the software being tested is PCI-DSS, HIPAA or ISO 27001 compliant.
Modern DAST tools have also learned to fill in the shortcomings of their legacy forbears. The first generation of DAST tools often had trouble with custom authentication and business logic, so their descendants have learned to adapt to those. Also, modern DAST tools often connect to Amazon Web Services environments for off-site testing.
Finally, some modern DAST tools, such as Invicti’s, include a SAST (static application security testing) element to look at the underlying code and thus provide a view of an app’s security from the outside and inside. This is often called interactive application security testing (IAST), but like SAST, it is often tailored to specific programming languages and cannot be run independently like DAST tools.
“In short, a modern DAST solution is the only way to get a complete picture of your web security posture and take action from day one,” Invicti’s Zbigniew Banach wrote in a 2020 blog post.
What to look for in a DAST tool
So what should you consider when you’re shopping for a DAST tool? One of the most important features is the ability to “prove” that discovered vulnerabilities are actually usable and worth fixing.
“Do not consider solutions that cannot provide confidence and evidence of identified vulnerabilities,” says the Web Application Security Buyer’s Guide provided by Invicti. “Every vulnerability that cannot be confirmed with 100% confidence by your software must be verified manually, breaking any development automation and consuming the security team’s time and resources.”
You should check to make sure that the DAST tool has a modern crawling engine (preferably Chromium-based), can scan the internet for websites and domains owned by your organization, can import standard formats of API definition, and can scan for “blind” vulnerabilities. which may not yield immediate outputs but may cause trouble down the road.
“If your vendor or software maker mentions terms like misconfigurations, open databases, and vulnerable libraries, there’s a good chance they support the detection of many different types of security issues of the web application, not just the web vulnerabilities,” says the Invicti buying guide.
You also want to make sure the tool can overcome any custom authentication or business logic your software might throw in its path. You may need to hold the hand of the software to overcome these obstacles, but don’t consider any DAST tool that doesn’t work even in that situation.
Finally, you’ll want to see how well the tool integrates with the software already in your development environment.
“The more ability to integrate a [DAST] you have a solution, you’ll save more time setting it up and using it,” says the Invicti buying guide.