Skip to main content

What is DAST, and Why Should Developers Use It?

 DAST stands for Dynamic Application Security Testing. DAST is the process of testing web, mobile, and API applications to find vulnerabilities/security bugs through simulated attacks.


DAST is the process of live testing an application either using an automated scanner or manual penetration testing practices.


Most developers haven't heard about DAST scanners because they are primarily used by appsec and penetration testers.


What kind of vulnerabilities does DAST find?

Most automated scanners would find critical vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc. 

The hard-to-find vulnerabilities like logic bugs, authentication, and authorization flaws are usually done by ethical hackers, penetration testers, and AppSec engineers. The preferred approach is to write automated test cases that can be executed as part of CI/CD.


Should developers care about DAST? 

Yes, they should, since having any of the above critical vulnerabilities can lead to data breaches and punitive damages. Additionally, most DAST scanners can now be easily integrated into CI/CD pipelines, fully automated. 


Pros of DAST

  • Tech Stack Independent: Independent of the application stack. It tests the application as a whole. All your source code and libraries at runtime are tested for vulnerabilities.
  • It does not require access to the source code.
  • Low false positives: According to OWASP's benchmark project, DAST solutions produce fewer false positives than other testing approaches.
  • Identifies configuration issues: DAST excels at finding security vulnerabilities that occur only when the application is operational. In addition, DAST attacks an application from the outside in, placing it in the perfect position to find configuration mistakes missed by other AST tools.
  • Logic vulnerabilities: These flaws are hard to detect early in development. These issues are caused by security configurations, data, and other things, making them hard to detect in non-production environments. Most bug bounty programs pay for these kinds of flaws instead for traditional and low-hanging issues. Detecting these flaws requires you to write test cases and execute them continuously in dev/production.


Cons of DAST

  • Does not find the exact location of a vulnerability in the code
  • Tests can be time-consuming.



Here are a few free DAST solutions you can run safely against your live applications:


EthicalCheck:

Free & Automated DAST for APIs.

https://apisec-inc.github.io/pentest/


Burp Suite

Write your tests

https://portswigger.net/burp/communitydownload

Comments

Post a Comment

Popular posts from this blog

Access multiple Databases in JPA

According to JPA specification we can define multiple "persistence-unit" elements (i.e. like below) in persistence.xml file and can easily refer them inside Dao layers as this. public class PolarDaoImpl {     @PersistenceContext(unitName="PolarPU")     protected EntityManager entityManager; -- } public class BearDaoImpl {     @PersistenceContext(unitName="BearPU")     protected EntityManager entityManager; -- } Checkout sample persistence.xml <?xml version="1.0" encoding="UTF-8"?> <persistence version="2.0" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">     <!-- Database 1 -->     <persistence-unit name="PolarPU" transaction-type="RESOURCE_LOCAL">        ...
3 comments
Read more

Validating CSV Files

What is CsvValidator ?   A Java framework which validates any CSV files something similar to XML validation using XSD. Why should I use this ?   You don't have to use this and in fact its easy to write something your own and also checkout its source code for reference. Why did I write this ?   Some of our projects integrate with third party application which exchanges information in CSV files so I thought of writing a generic validator which can be hooked in multiple projects or can be used by QA for integration testing. What is the license clause ?   GNU GPL v2 Are there any JUnit test cases for me checkout ?  Yes,  source How to integrate in my existing project ? Just add the Jar which can be downloaded from here  CsvValidator.jar  and you are good. Instantiate  CsvValidator c onstructor which takes these 3 arguements          // filename is the the file to be validated and here ...
7 comments
Read more
               Top 10 Apps missing in HP TouchPad Without these Apps my experience is only limited to browsing web pages, though WebOS is really better multitasking device than iOS but without commonly used Apps it's only limited. 1. Native YouTube App   - You can't just use finger to do everything on 60% YouTube.com                       2. Netflix - I love to do multitasking, with Netflix running and ability to do other stuff     3 Facebook - Most of the people always like to be connected all the time here   My Mistake Skype Video is working     4  Skype - Ability to do voice and video chat, and without this I need to keep my Mac on.   5 Google Talk - Ability to do voice, video chat...
16 comments
Read more