Dynamic application security testing (DAST) tools have been widely used for more than a decade, but there still exist misconceptions of what they can and can't do. The good news is that modern DAST tools far outstrip the abilities of their legacy forbears, making them essential components of any modern software development life cycle (SDLC).
What legacy DAST tools can and can't do
The fundamental ability of a DAST tool is to conduct an automated pen-test of a web application -- essentially, to test application security by attacking a web application as a hacker would, probing for flaws. That's still the case, although modern DAST tools now go much further.
Legacy DAST tools, which include many of the free and open-source versions, give you strictly black-box insight into the workings of a web app. They can only tell you what's going in and coming out.
If they discover any vulnerabilities, legacy DAST tools can't provide any proof that the vulnerabilities are actually exploitable. It's up to the developers using the legacy DAST tools to test the potential vulnerabilities, leading to a potentially huge amount of time chasing down false positives.
Furthermore, legacy DAST tools often can't be used until a piece of code approaches the production stage, as most DAST tools can test only stand-alone working binaries. The tests often need to be triggered manually.
With legacy DAST, "you could scan many assets to see what you're working with, but for detailed analysis, you had to rely on manual inspection," explained Invicti's Zbigniew Banach in a 2020 blog post.
The abilities of modern DAST tools
Modern DAST tools go far beyond these rudimentary abilities. They can often provide proof-of-concept exploits for discovered vulnerabilities, saving developers a lot of time that might otherwise be spent chasing down false positives. (DAST software maker Invicti calls this "proof-based scanning.")
Modern tools also are less strict about where in the software development life cycle they can be deployed and are able to test bits of code that legacy DAST tools might not have been able to handle. This lets developers get an early start on finding and solving problems.
"You can scan for vulnerabilities as soon as you have runnable code, which means from the first commit for most modern frameworks and trigger incremental scans automatically as part of the pipeline," wrote Banach in a 2022 blog post.
These modern tools can also run in the background, constantly testing code during the seemingly endless cycle of update-test-deploy-repeat and letting developers focus on their core duties.
"DAST can run any time of day and night, as often as you need," wrote Banach. "This is vital for continuous integration pipelines, where you can't organize a penetration test for every single build."
Many modern DAST tools also have additional features that embed them deeper into an SDLC, enabling secure coding across the development process. For example, some DAST tools can now scan for and discover web assets, even those that developers may have forgotten about.
They can also be integrated with bug-tracking platforms like Jira or ServiceNow, continuous integration/continuous development (CI/CD) tools like Jenkins or GitLab, and interoffice messaging programs like Slack or Microsoft Teams. Some modern DAST tools even come with different compliance modules to make sure the software being tested conforms to PCI-DSS, HIPAA or ISO 27001.
Modern DAST tools have also learned to make up for the shortfalls of their legacy forbears. The first generation of DAST tools often had trouble with custom authentication and business logic, so their descendants have learned to adapt to those. Likewise, modern DAST tools can often connect to Amazon Web Services environments for off-premises testing.
Finally, some modern DAST tools, such as Invicti's, include an element of SAST (static application security testing) to get a look at the underlying code and thus provide a view of an app's security from both outside and inside. This is often called interactive application security testing (IAST), but like SAST, it's often tailored to specific programming languages and can't be run independently like DAST tools.
"Simply put, a modern DAST solution is the only way to get a complete picture of your web security posture and take action from day one," wrote Invicti's Zbigniew Banach in a 2020 blog post.
What to look for in a DAST tool
So what should you consider when you're shopping for a DAST tool? One of the most essential features is the ability to "prove" that discovered vulnerabilities are actually exploitable and worth fixing.
"Do not consider solutions that cannot provide confidence and evidence of identified vulnerabilities," states a Web Application Security Buyer's Guide provided by Invicti. "Every vulnerability that cannot be confirmed with 100% confidence by your software must be verified manually, breaking any development automation and consuming time and security team resources."
You should check to make sure that the DAST tool has a modern crawling engine (preferably based on Chromium), can scan the internet for websites and domains belonging to your organization, can import standard API definition formats, and can scan for "blind" vulnerabilities that might not yield immediate outputs but could cause trouble down the road.
"If your vendor or software maker mentions terms like misconfigurations, open databases, and vulnerable libraries, there is a good chance that they support the discovery of many different types of web application security issues, not only web vulnerabilities," state Invicti's buying guide.
You'll also want to make sure that the tool can get past any custom authentication or business logic that your software may throw in its path. You might have to hold the software's hand to get past these obstacles, but any DAST tool that can't work even in that scenario should not be considered.
Last, you'll want to see how well the tool integrates with software that already exists in your development environment.
"The more integration capabilities a [DAST] solution has, the more time you will save when setting it up and using it," says Invicti's buying guide.
