Dynamic Application Security Testing (DAST) is a method of testing the security of an application by examining its behavior while it is running. It involves simulating real-world attacks and interactions with the application to identify security vulnerabilities and potential exploits.
When to use DAST
DAST is typically used after an application has been deployed, when it is running in a live environment. It is a complementary technique to Static Application Security Testing (SAST), which analyzes source code before deployment. DAST is particularly useful for identifying security vulnerabilities that cannot be detected through code analysis alone, such as configuration issues, input validation problems, and session management issues.
Who should do DAST
DAST can be performed by security professionals, penetration testers, or developers. However, it is usually performed by security professionals who have the expertise and experience to perform this type of testing.
How to do DAST
There are several steps involved in performing DAST:
- Planning: Define the scope and objectives of the DAST test.
- Preparation: Set up the testing environment, including the application, network infrastructure, and test tools.
- Scanning: Perform the actual test by simulating real-world attacks on the application and analyzing its behavior.
- Reporting: Analyze the results of the test and produce a report that includes a list of vulnerabilities, their severity, and recommendations for remediation.
- Remediation: Fix the identified security vulnerabilities, and re-test the application to ensure that it is secure.
DAST and code review
Dynamic Application Security Testing (DAST) is not typically done during code review, as code review is focused on the quality and maintainability of the code, whereas DAST is focused on the security of the application as it is running. Code review is usually performed during the development phase before the application is deployed, while DAST is performed after the application has been deployed.
Shifting security left
However, it is possible to integrate security considerations into the code review process by incorporating both code analysis (such as SAST) and dynamic testing (such as DAST) into the development process. By doing so, organizations can shift security left and catch security vulnerabilities early in the development cycle, reducing the risk of data breaches and ensuring that their applications are secure.
Popular DAST tools
- OWASP ZAP: An open-source DAST tool that is easy to use and provides a graphical user interface for performing automated security scans.
- Nessus: A commercial DAST tool that offers both vulnerability scanning and penetration testing capabilities.
- Burp Suite: A commercial DAST tool that provides a comprehensive set of features for performing web application security testing.
- Acunetix: A commercial DAST tool that is specifically designed for web application security testing and provides both vulnerability scanning and manual testing capabilities.
- Qualys Web Application Scanning: A commercial DAST tool that provides both vulnerability scanning and penetration testing capabilities.
- WebInspect: A commercial DAST tool that provides comprehensive web application security testing capabilities, including vulnerability scanning and penetration testing.
DAST is a valuable technique for testing the security of an application and identifying security vulnerabilities that cannot be detected through code analysis alone. By performing DAST, organizations can reduce the risk of data breaches and ensure that their applications are secure.