There’s no silver bullet solution with cybersecurity, a layered defense is the only viable defense.
—James Scott, Fellow at the Institute for Critical Infrastructure Technology
Building up overlapping and complementary layers of security is a crucial goal for any company’s cybersecurity program, and web applications and APIs are at the heart of that effort. But while layered protection is well understood, many organizations still underestimate the importance of also layering security testing to minimize the risk of vulnerabilities making it into production. As you build up your layered application security process, DAST is the glue that holds it all together and fills any gaps left by other testing approaches.
Dynamic application security testing (DAST) is the only security testing methodology that combines an attacker’s-eye view of your external attack surface with vulnerability testing at multiple points in development, staging, and production. It is thus uniquely positioned to act as your outer safety net while also working in tandem with complementary testing approaches like SAST (static application security testing), SCA (software composition analysis), or even IAST (interactive application security testing). The reason DAST is special is that only dynamic testing (aka black-box testing) can show you if a vulnerability that exists or is suspected in code is exploitable in the running application.
DAST specialties: Vulnerabilities you shouldn’t be seeing in production
You’ve probably seen some myths about DAST tools and their use in DevOps floating around the industry, especially if you’re investigating security solutions for vulnerability scanning. To illustrate how building DAST into your software development lifecycle (SDLC) can help keep your entire application security program together, let’s look at how DAST helps with some typical vulnerabilities that can be introduced during application development and deployment. Knowing these vulnerabilities will help you maintain a sound security posture and stay proactive by fixing security issues as early as possible—before they turn into bigger headaches.
SQL injection
One of the oldest web security vulnerabilities, SQL injection allows attackers to manipulate the queries an application sends to a database. Once they’ve injected malicious SQL statements, attackers can manipulate databases, grab sensitive data, bypass authentication, and much more, depending on the specific application, vulnerability, and database. In fact, in the devastating MOVEit Transfer attacks, SQL injection was chained with several other vulnerabilities to eventually achieve remote code execution (RCE)—the “game over” result of application security.
Many simpler SQL injection vulnerabilities can be identified already in the application’s source code with static analysis (white-box testing) and prevented through secure coding practices, but it’s hard for a SAST tool to be sure if a potentially insecure construct will lead to a vulnerability and, if so, whether the vulnerability will be exploitable. With DAST tools integrated into your testing process and providing an outside-in view, simulated attacks are used to check for exploitable vulnerabilities, including (for advanced DAST) out-of-band and second-order SQL injections. Invicti DAST solutions also provide automatic confirmation and proof of exploit for many SQL injections.
Learn more about SQL injection.
Cross-site scripting (XSS)
Cross-site scripting is another common security flaw that both DAST and SAST tools can detect, but only DAST can confirm. In XSS attacks, an attacker injects malicious scripts into pages to potentially steal user sessions, deface websites, distribute malware, and much more. As with SQLi, static analysis can flag places where user inputs are handled insecurely, but many of the XSS results will be either false positives or irrelevant in a specific context. Dynamic application security testing takes the app after those first static checks and attempts to inject actual XSS payloads into input fields and parameters to see what’s exploitable. Advanced DAST tools can automatically confirm many XSS vulnerabilities, cutting through the false positive struggles typical of SAST.
Learn more about XSS.
Security misconfigurations
Runtime security issues such as misconfigurations are where DAST comes into its own. While some security headers and other configuration features can be set in application code, most are set on the server, so checking the combined configuration is only possible with dynamic testing. SAST can still find some configuration issues in the source code, and SCA will help to identify potentially vulnerable components, but it takes DAST to put it all together and give you a picture of the resulting security posture. Other DAST-specific features, such as tech stack checks and dynamic SCA, add yet another layer on top of security checks to minimize the risk of vulnerable open-source components, frameworks, or libraries making it into the final build.
Learn more about security misconfigurations.
Broken authentication and session management flaws
Subpar authentication and session management measures can give the bad guys a foothold for attacks against your applications and especially APIs. If access is not properly secured, attackers may be able to impersonate legitimate users to extract sensitive or access restricted app functionality and API endpoints. DAST tools mimic the actions of attackers to uncover authentication gaps and weaknesses that may allow for attacks that include session fixation or hijacking, credential stuffing, and cookie manipulation.
Learn more about session hijacking.
Exploitability is the key to realistic AppSec
Dynamic application security testing is a powerful tool for identifying a wide array of application vulnerabilities, but its true power lies in showing exploitability and catching flaws that slipped through other layers of security testing. Pairing DAST solutions with approaches such as SAST, IAST, SCA, API security, and manual penetration testing gives organizations a more realistic view of their security posture and helps get the best out of each approach. Taking the multi-layered approach in an integrated DevSecOps process actively uncovers any vulnerabilities and security risks at both the code and the runtime level, helping to close down potential attack avenues before they can turn into data breaches.
Now that’s proactive—even before you even get into advanced DAST features like Invicti’s Predictive Risk Scoring, which gives you a security risk estimate and remediation priorities before you even run a single scan. Ready to learn more about Invicti’s proactive layered AppSec? Let’s talk.