DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional. These issues can be related to runtime, code, dependencies, and more.
As a type of black-box testing (meaning you’re not aware of what’s running inside the application when you try to exploit it), DAST takes an outside-in approach and simulates real-world attack scenarios like SQL injections, cross-site scripting, and authentication issues.
CI/CD Pipeline Security Best Practices [Cheat Sheet]
In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response.
Download Cheat Sheet
How does DAST actually work?
DAST fits best in the testing phase of your application. DAST generally comes after other code security and code quality scans in the pipelines, such as SAST.
DAST involves multiple steps:
1. Discovery
In this phase, an application is scanned to find the entry points or the interfaces that allow a user to interact with the application. Think APIs, forms, UI, or URLs. All of these entry points will be tested in the next step.
2. Simulation
Once the application interfaces are identified in the discovery phase, the application is exposed to different kinds of attacks like SQL injections, cross-site scripting (XSS), runtime memory leaks, cross-site request forgery (CSRF), privilege escalation, server configurations, and TLS issues. DAST tools try to run these attacks and make efforts to get access to critical parts of the application.
3. Analysis
Once simulations are performed, the outcomes for these attack simulations are analyzed to determine if there are vulnerabilities present or not.
4. Reporting
In the reporting phase, DAST tools present any identified vulnerabilities and suggest tools and potential fixes. Reporting can be integrated with your organization’s communication channels to alert teams as soon as a vulnerability is found.
All of these steps together make a complete DAST scan, and reports are a jumping-off point for investigations and remediations, empowering your teams to strengthen your system’s security posture.
SAST vs. DAST
To recap, dynamic application security testing (DAST) is a penetration testing technique that assesses an application's security posture without analyzing its underlying code. Instead of inspecting the codebase, DAST focuses on running and interacting with the software using known attack vectors.
For example, DAST tests an HTTP server by sending requests embedded with potential exploits to check if the application is vulnerable. Since DAST doesn't examine the code itself, it's language-agnostic and is effective no matter the programming language or technologies used, making it versatile across different platforms.
Though DAST tends to be slower than static application security testing (SAST), it can detect a broader range of vulnerabilities that are not apparent to SAST, like runtime vulnerabilities that occur in production environments. (Vulnerabilities like distributed denial-of-service susceptibility, exposure of sensitive internal data, or misconfigurations in third-party services.)
On the other hand, SAST comes before DAST during development and CI/CD pipelines. SAST analyzes the source code itself and can be executed very early in your DevSecOps pipelines. With SAST, the code is analyzed to find patterns that can be potential issues. SAST can also be paired with fuzzing for more comprehensive results.
DAST vs. IAST
IAST, or interactive application security testing, is a combination of SAST and DAST methodologies that can add more value to your security testing. IAST analyzes the source code for vulnerabilities and also executes part of the code to identify issues and monitor its behavior in real time. IAST analyzes runtime by adding instrumentation to measure important metrics at different code points, helping to both identify security issues and indicate the severity of the problem.
Benefits of DAST
Dynamic application security testing is very close to real-time attack situations, so it can help you catch exploits that are actually found in the wild. Here’s a summary of the other benefits DAST brings to the table:
Runtime vulnerability and wide vulnerability detection: Apart from your code, severe issues can be found in your runtime (and your runtime only). This makes DAST really helpful because runtime vulnerability scanning is DAST’s specialty. DAST also looks beyond the code from an external perspective and can test issues like session mismanagement, cross-site request forgery, open redirects, Log4Shell, and more.
Language-agnostic testing: DAST tools don’t have to understand the coding language you used to build your application—they can identify and exploit any vulnerabilities, no matter what. This makes DAST implementation easier, streamlining your testing workflows.
Third-party testing: You can test your dependencies for any issues via DAST tools. (Since it doesn’t have to understand the internal workings and needs only interfaces to start evaluation, it’s easy to use DAST on your third-party tools!)
Real attack behavior: DAST’s biggest strength is the nature of its “attacks.” The simulations that DAST tools perform are very close to the actual behavior of attackers.
Limitations of DAST
Though DAST is a great option for testing, it does come with some downsides:
False positives in security testing: DAST can trigger a lot of false positives, creating a lot of work for teams, who have to sift through them all and decide which alerts to pay attention to.
Slow detection: DAST is very slow compared to its counterpart, SAST, and may take a lot of time to detect issues, making your deployment cycles longer.
Opposite of shift left: The shift-left approach of SAST saves a lot of time, but DAST is basically the opposite. You can start DAST analysis only after your application code is complete, built, and deployed. Because it comes after deployment, identifying and routing remediation of issues to the relevant development owners is a lengthy process.
No code insight: Since DAST has no visibility into the code itself, there can be issues that DAST misses. That’s why SAST is also very important, and it’s a good idea to use both of them and not just rely on one.
DevOps Security Best Practices [Cheat Sheet]
In this 12 page cheat sheet we'll cover best practices in the following areas of DevOps: secure coding practices, infrastructure security, monitoring and response.
Download Cheat Sheet
Popular open-source DAST tools
There are many popular open-source tools you can leverage for DAST analysis. Here are a few that are in continuous development:
| Tool | Description |
|---|---|
| OWASP ZAP | ZAP, or Zed Attack Proxy, is one of the most popular DAST tools. It can be easily integrated into your CI/CD security pipeline to analyze the behavior of your application. ZAP has a major community backing it, can perform other security testing like SAST, and can carry out code reviews as well. |
| Wapiti | Wapiti is another very popular open-source tool for scanning web applications. It covers a wide array of attacks, including some advanced attacks like TLS misconfigurations and Shellshock. (Note that Wapiti doesn’t have a GUI and is more suited to scheduled scans than real-time testing.) |
| Vega | Vega is also a free, open-source tool for dynamic application testing. Vega has APIs and GUI, which makes it user friendly. The downsides? Vega has limited support for modem JavaScript applications and can struggle with CI/CD integration. |
| w3af | w3af is billed as a complete ecosystem for auditing web applications. It comes with a lot of helpful features—from notification channels to reporting and alerting. w3af’s drawbacks are a lack of a GUI and limited support for C/CD. |
| Burp Suite | Burp Suite is used widely for security scanning and testing. Burp Suite is available as a community offering as well as a paid version. (With the paid version, you can get some extra automated scanning features.) For better control and ease of use, Burp Suite offers a GUI. Burp Suite boasts a vast number of features and attacks that it can analyze and perform. |
Strengthen your application and SDLC security with Wiz Code
While DAST scans can be time-consuming, they add a lot of value in hardening your application security posture against attacker threats. To maintain the speed and productivity of agile deployment cycles, DAST scans can run directly after deployment and then be repeated in a continuous, asynchronous manner to report any runtime vulnerabilities that might come up.
There’s no question that DAST can help you strengthen your security posture after your apps have been deployed, but DAST alone isn’t enough. It’s best practice to implement a proactive approach to security and perform a comprehensive set of scans during build time (first-party code, third-party code, infrastructure, and pipeline security settings) in order to ensure that you’re not leaving your systems exposed to threat actors, and that’s where Wiz Code comes in.
Wiz Code offers real-time security feedback to developers, enriched with cloud insights, directly in the IDE and pull requests. This helps developers anticipate the impact of vulnerabilities and exposed secrets once their code has been deployed and proactively remediate their most impactful application security issues in code.
Wiz Code also connects to code repositories and CI/CD pipelines, scanning the entire application stack and SDLC security posture, from third-party code dependencies and license compliance issues to container images, IaC templates, and the settings of VCS and CI/CD pipelines themselves so that you can detect vulnerabilities, misconfigurations, compliance issues, sensitive data, exposed secrets, and malware.
Using Wiz Code in combination with one of Wiz’s SAST integration partners, such as Checkmarx, Cycode, or Jit, gives security teams complete visibility and control over their application security posture from build time to runtime—with no siloed tooling or gaps in coverage.
Want to see for yourself how Wiz Code can protect everything you build and run from code to the cloud? Schedule a demo today.
Secure your cloud from code to production
Learn why CISOs at the fastest growing companies trust Wiz to accelerate secure cloud development.
