Overview of Dynamic Application Security Testing
Dynamic Application Security Testing, also known as DAST, is a form of testing a running version of your application to identify potential security vulnerabilities. With DAST, a scanner sends requests to your application that simulate malicious attackers and evaluates the response received from the application for an indication of a security bug. As they run through the test suite of simulated attacks, any potential vulnerabilities are recorded for review.
DAST scanners have long been a favorite tool of enterprise security teams, software engineering teams, and penetration testers. This form of testing finds vulnerabilities that your team has introduced in the software delivery cycle and exploitable vulnerabilities from open-source components used within the application. It is often used alongside Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools. DAST is known for its low false positive rates and precise surfacing of application security risk.
How it Works
DAST scanners start with pointing at the host where your application is running. This may be a publicly available website or web app, but it is generally advised to run DAST scans against a pre-production environment. Given that the scanner simulates an attacker, it can potentially modify or erase data in your production environment, which has obvious negative implications (Learn more in our posts about why you should not run DAST against production and how to seed a database for DAST scanning).
Once the scanner is pointed at the host, an HTML spider to identify all possible paths and actions. Depending on the tool, it may also use an AJAX spider for single page applications, OpenAPI specification for testing your REST APIs, or even look at the GraphQL introspection endpoint to identify your GraphQL API query tree. Ideally, your tooling should cover as much of your application and backing APIs as possible and should do so in an automated fashion.
Then, the scanner begins running a suite of tests, sending requests to all of the identified paths/endpoints and looking for responses that would indicate a security vulnerability. Any findings are then displayed in the report or platform of your DAST scanner, ideally with the pertinent information that a developer would need to fix the bug.
What it Finds
DAST scanners find a wide variety of security vulnerabilities without looking directly at an application's source code. This can include SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and many other vulnerabilities. These scanners find the majority of the OWASP Top 10 vulnerabilities. For a sample of the types of vulnerabilities identified by DAST scanners, check out the tests run by open source ZAP, the most popular application security testing tool.
The OWASP Top 10 vulnerabilities not found by DAST scanners are because they cannot be found in generalized automated testing. Some DAST tools, however, are introducing custom script support that allows for testing of complex business logic or identifying vulnerabilities specific to your application. Examples of this include broken authentication or cross-tenancy checks.
DAST Options: Getting Started and Evaluating Tools
One benefit of dynamic application security testing is that getting started is easy. With testing automated within the tool, you can get started with as little as pointing the scanner at your host.
Whether you are looking to expand your enterprise application security program or are just getting started with your first application security tests, there are solutions that will support you. The following information provides a list of the leading solutions in the space as well as criteria for consideration when selecting a tool
DAST Products and Tools
There are many DAST tools on the market, including several open source or free options. Below is a list of the leading tools in the space that you could use for testing.
StackHawk: StackHawk is a modern DAST tool built for automation in CI/CD. For teams that want to catch vulnerabilities before they hit production and integrate security testing into engineering workflows, StackHawk is the leading option. StackHawk is built on top of the open source ZAP project and provides engineering teams with simplified automation, vulnerability triage, and fixes of securing findings.
ZAP: ZAP is an open source DAST scanner. ZAP is the most widely used application security scanner, has been an industry standard for 10 years, and is built for automation. ZAP supports scanning with a desktop application and also supports automated scanning of web applications via API.
Burp Suite: Burp Suite, a product of PortSwigger, is a penetration testing tool. For penetration testers or in-house application security teams looking to do manual scans. There is also an enterprise edition that leverages agent deployments.
Detectify: Detectify is a more modern entrant in the DAST space, although it leverages a crowd-sourcing approach to identifying vulnerabilities. The DAST scanner runs against production applications on a schedule.
Netsparker: Netsparker, by Invicti is an established DAST tool that supports enterprise security teams. With on-premise deployment and a professional services arm to lead rollout, Netsparker fits enterprises not yet investing in DevSecOps.
Rapid7: InsightAppSec is the DAST solution provided by Rapid7, another long standing enterprise security platform. InsightAppSec supports on-premise deployment and scheduled scans of production, making it another option for enterprises that are not yet investing in DevSecOps.
Veracode: Veracode is an enterprise application security platform with SAST, SCA, IAST, and now DAST solutions. For large enterprises prioritizing a single platform for all application security needs, Veracode may be the right choice.
How to Select a DAST Tool
Once you decide to get started with dynamic application security testing, the hardest part of the process may be deciding which tool is right for you. Below are a few items to consider when selecting a tool.
Scan Frequency: Automated, Scheduled, or Manual
Consider how often you would like to kick off scans. The following options are the most common methods of scanning.
CI/CD Automated Scans
The future of application security is automated and integrated with the DevOps pipeline (known as DevSecOps by many). With automated security scans in the CI/CD pipeline, many benefits lead to faster discovery and fixes of security threats, including:
Developers are alerted of new vulnerabilities before they hit production, optionally breaking the build to ensure a review happens before the release.
Testing can be run against underlying services and APIs instead of the customer-facing application, leading to faster identification of the underlying issue when a bug is found.
With tests on every pull request, smaller increments of change are tested, allowing developers to quickly fix vulnerabilities while still in the context of the code they were working on.
Teams that are not yet ready to adopt application security automation may choose to run regularly scheduled scans against the application. While it may be simpler to run a scanner on outside infrastructure and kick off the scan, there are several concerns with this method of dynamic application security testing:
Scheduled scans are most typically performed against the production site. Given that DAST scanners actively attack the application, the security tests are often limited in scope to avoid affecting the production environment. This approach, however, leaves the application vulnerable to some of the most malicious attacks.
When a vulnerability is found, inefficient internal processes must take place to discover the underlying cause of the bug.
Production applications contain protections against BOT-type activities, such as rate-limiting, that make it harder for a scanner to run testing effectively.
Manual scans are often easy to get started with, but lack scalability across teams. Additionally, findings from these scans are less reproducible for the individuals who typically deploy fixes. Manual scans that inherit shared configuration from automated testing, however, are highly beneficial in validating fixes.
If your application requires user login, you’ll want a scanner that supports authenticated scans. If you are using an automated or scheduled scanner, this can be more difficult. You’ll want to ensure that the vendor supports your form of authenticated scanning, such as cookie-based, external token, and bearer token.
Application Target: Production vs. Pre-Production Sites
As mentioned above, there are many benefits to scanning pre-production vs. the production application, including the ability to catch vulnerabilities before they are live, not having to get around rate limiters, firewalls, and WAFs, and shortening time to fix.
While the ability to run these scans partially depends on the company’s deployment pipeline, there is value in a scanner that is built to support pre-production scanning.
User of Tool: Security Analyst or Engineering Teams
When picking a tool, one of the top considerations should be the individual who will use the tool. While testing and fixing application security flaws and vulnerabilities often includes some combo of security and development teams, developer-centric security tooling is growing in popularity.
These tools are increasingly being used to enable developers to make triage decisions and deploy fixes in their existing workflows, with the security team responsibility shifting to risk- based guidance oversight.
API Security Testing
The application security testing landscape has shifted over the past decades, with APIs serving as a primary potential attack vector. If you are run application security testing against modern applications, ensure that the tooling you select supports API testing as a first-class part of the tool.
Additionally, if you are using GraphQL as part of your tech stack, you’ll want to ensure that GraphQL API testing is supported by your DAST tool. You’ll also want to ensure that the tool supports scanning federated GraphQL implementations.
Single Page Application Security Testing
Single Page Applications (SPAs), built in frameworks like React or Angular, have rapidly grown in popularity in recent years. Traditional HTML spiders cannot identify the various paths to run a dynamic application security test against without a static DOM. Testing SPAs requires a tool that supports an AJAX spider, as well as a tool that can scan the underlying APIs.
Deployment Model: On-Prem vs. SaaS
In determining the correct application security testing tool, you should consider the deployment model for your organization. Most companies will prefer a SaaS solution, but some companies still require an on-premise solution.
Conclusion: Just Start Testing
Dynamic application security testing is an excellent way to ensure that you are delivering secure applications and avoiding the risk of a breach. Getting started is relatively simple and there are numerous free and open source tools to support your testing. DAST offers developers a significant security advantage by helping to identify security vulnerabilities and generating quality vulnerability assessment reports. The takeaway here is to just start testing!
Try out StackHawk
If you're looking for the fastest way to get started with DAST, look no further than StackHawk. Sign up today for a free trial of the DAST platform built by developers for developers.