• DAST is a security testing technique which involves simulating attacks against the application and analyzes how the application behaves
  • The application is tested dynamically from the outside when application is running
  • DAST is generally performed by the penetration testers or security practitioners on a working system in pre-production, a test environment, or even in production
  • These individuals typically uses automated web application vulnerability scanners to conduct DAST
  • These scanners believe in fuzzing the application inputs with attack payloads in order to detect security weaknesses
  • Typical web application vulnerability scanners are classified into:
    – Classic application security scanners: They crawl and automatically scan all detected webpages. However, they have limited coverage within the application as they do not have understanding of business flows
    – Proxy-based security testing tools: These are scanners integrated in web application proxies which provide fine-grained control over each request that gets scanned

DAST (Dynamic)

Scans interface of running application

  • Black box testing
  • Simulates a live attacker
  • Sends HTTP requests
  • Analyses HTTP responses

Types of DAST

  • Automated Application Vulnerability Scanning
    – Security tester uses classic application security scanners to scanners to scan the web application for vulnerabilities
  • Manual Application Security Testing
    – Security tester uses Proxy-based security testing tools to craft and send request manually and analyze the responses from the application

SAST vs DAST

Web Application Security Scanners: WebInspect

  • WebInspect is a web application security assessment solution designed to thoroughly analyze today’s complex web applications and web services for security vulnerabilities
  • It provides the broadest dynamic application security testing (DAST) coverage and detects new types of vulnerabilities that often go undetected by black-box security testing technologies

Web Application Security Scanners: IBM SecurityAppScan

  • IBM Security AppScan helps organizations decrease the likelihood of web application attacks and costly data breaches by automating application security vulnerability testing

Additional Web Application Vulnerability Scanners

Burp Suite

  • Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities
  • Install and configure Burp Suite in the browser of your interest

OWASP Zed Attack Proxy (ZAP)

  • OWASP ZAP is an open source, easy to use, integrated penetration testing tool for finding vulnerabilities in web applications

DAST using OWASP ZAP

  1. Install and configure ZAP in the browser of your interest
  2. Insert the URL of web application that you want to test and start the attack

Additional Proxy-based Security Testing Tools

Choosing Between SAST and DAST

  1. SAST is white box security testing approach while DAST is a black box security testing approach
  2. These approaches work differently on their part to find security flaws in the application
  3. Relying on DAST alone does not ensure that security flaws will exist that you have not tested for
  4. Relying on SAST alone does not ensure that security flaw will not exist that may arise when application is running
  5. After SAST, security tester may have abetter chance of finding different problems when application is running
  6. Thus, both SAST and DAST are required in a secure software development program

Module Summary

  • SAST is one of the software security assurance approaches executed in an attempt to identify security-related weaknesses in the code
  • Manual Source Code Review involves manually inspecting the source code line by line to detect any defects and security related flaws
  • The static code analysis tools automate the entire process of secure code review; however, they scan the code superficially
  • With manual secure code review, you can analyze and detect many security vulnerabilities especially those missed out during the static code analysis
  • DAST is a security testing technique which involves simulating attacks against the application and analyzing how the application behaves
  • SAST is a white box security testing approach while DAST is a black box security testing approach