The rise of application security testing tools in recent years has led to significant confusion. For some buyers and vendors, DAST has been mistakenly reduced to a mere checklist item with a greater emphasis on affordability rather than quality. This rush towards cost-cutting measures is creating risks in organizations that security leaders may not be fully aware of. It is time to differentiate between business-critical DAST and superficial “check-the-box” DAST—with an infographic to illustrate the distinction.
Navigating the DAST maze
First and foremost, dynamic application security testing (DAST) encompasses all forms of security testing performed on a live application, whether manual or automated. However, in cybersecurity terminology, a “DAST tool” commonly refers to a web vulnerability scanner, leading to varying levels of maturity, purpose, and effectiveness. Broadly speaking, there are three informal categories of DAST tools:
- Pentesting scanners: Individual-user scanners designed for on-the-spot scanning to identify potential issues for further manual evaluation
- Basic automated scanners: Outdated products that often struggle with contemporary web applications, resulting in subpar outcomes
- Comprehensive DAST solutions: Specialized products tailored for automated vulnerability testing and constantly updated to keep pace with current web technologies
The type of tool that suits you best depends on your specific use case. For instance, a scanner that works well for a penetration tester might inundate developers with false positives if automated for pipeline integration. Conversely, an extensive enterprise solution with automation and integration capabilities might be excessive if you only require scanning for a single site. Ultimately, beyond distinct product categories, there exist only two types of DAST tools: those indispensable for your application security and those that merely fulfill your “DAST” checkbox.
The checkbox trap
Vulnerability scanning is not solely a best practice but often a mandatory compliance requirement. Amidst numerous other obligations, DAST may be relegated to a mere checkbox that must be ticked, irrespective of scan accuracy or relevance to your particular organization. This temptation is heightened when DAST is bundled inexpensively with other cybersecurity tools, or when someone suggests, “let’s just use an open-source scanner, it’s free.”
The checkbox approach to DAST exposes organizations to vulnerabilities, increases their risk exposure, and fosters a false sense of security. Simply having a tool does not enhance your security posture. Running scans that yield no findings or generating useless reports for remediation does not mitigate risks.
Effectively functioning DAST tools can revolutionize your entire application security strategy. Conversely, ineffective DAST tools can be more detrimental than having no DAST at all.
You can’t automate inaccurate results
The primary challenge with automated dynamic testing is ensuring accuracy throughout the scanning process. Inaccurate crawling may result in some targets being overlooked, while an insufficiently advanced scan engine may allow vulnerabilities in tested targets to slip through undetected. Moreover, inadequate reporting and prioritization can inundate users with false positives and other non-actionable alerts.
With ineffective crawling and testing, the scanner may report minimal findings or none at all, potentially instilling a false sense of security. A common issue with outdated tools is their incapacity to handle modern authentication requirements and JavaScript-intensive dynamic applications, leading to critical areas of the application remaining untested.
Upon completing scans, accurate reporting entails presenting users solely with pertinent findings. While a pentesting scanner might render numerous uncertain results useful during manual ad-hoc testing, the same results may impede automation efforts. Expecting developers to sift through dozens of suspected vulnerabilities, especially via automated tickets, may cause them to disregard security issues after encountering a few false positives.
Choosing shortcuts to tick the DAST checkbox can waste time and money without yielding substantial security enhancements.
There’s no such thing as a free DAST
Automated web vulnerability testing necessitates years of continuous research, development, and maintenance to achieve precision on real-world applications and technology stacks. This process involves frequent updates to security checks and refinement of the scanner and its configuration options to ensure compatibility across diverse application environments. Without external investment in product development, internal attempts to maintain such standards can be costly.
One downside of bundled scanners is their inadequate maintenance and marginal significance by the vendor, leaving teams to grapple with scan execution and tool integration challenges. For instance, a decade-old tool may struggle with SSO authentication, necessitating manual authentication or failing to scan authenticated pages—resulting in wasted labor hours.
Likewise, integrating basic DAST tools into workflows demands substantial effort in building custom integrations and fragile data ingestion scripts. Following integration, the delivered results may prove unusable, leading to wasted resources and negligible outcomes.
Getting value from DAST
Every organization requires a DAST tool to scrutinize vulnerabilities in its applications, be it in production, development, or both. When selecting the optimal solution, consider not only the upfront costs but also the time and expenses associated with achieving measurable value. For DAST specifically, vendor support can significantly impact the tool’s efficacy and value realization timeline. To establish DAST as a pivotal element in your application security strategy, it should be swiftly implemented, fine-tuned for comprehensive scanning across your application environment, and furnish actionable reports for remediation.
Ultimately, the disparity lies between “Here’s the tool, manage it” and “Let’s facilitate identification and resolution of vulnerabilities promptly.”
