By Jay Lloyd. August 13, 2021.
What is DAST?
A Dynamic Application Security Testing (DAST) tool is a software program that crawls your web application to find security vulnerabilities. DAST tools, which use black-box testing to examine the functionality of an application without any knowledge of its internal structures or workings, seek out links on your application and inspect the content sent back from them, which can include HTTP Headers, cookies, and page content. Most importantly, DAST tools analyze whether that information poses any security risks.
Interestingly, hackers take a similar approach when trying to break into your system. However, unlike a hacker, who will likely cause damage to your system, a DAST tool will point out vulnerabilities so that you can fix them.
Why Is DAST Important?
Your application could be leaking information that it's using an outdated framework with known security bugs. This information may sound harmless, but it's valuable for anyone with malicious intent. This type of vulnerability, which is #9 on the OWASP Top 10, Using Components with Known Vulnerabilities, is just one type of security issue that can be found with a DAST tool. In addition, your application could have other vulnerabilities from the OWASP Top 10, such as Cross-site Scripting (XSS), because your Content Security Policy is unsafe.
By now, you might be thinking that application security is complex—and it definitely can be. Security vulnerabilities are not always apparent when performing code reviews, either manually or by using a Static Application Security Testing (SAST) tool. Therefore, to sniff out these complex issues and protect your system, you need to carry out frequent DAST scans on your application.
If you want 360-degree protection, you need to use SAST and DAST together. SAST protects your system by finding vulnerabilities in the lines of code written by your developers, but DAST completes the picture by alerting you to issues with your application from the outside world. Having these two tools working together provides a strong defense against security threats.
To read more about the benefits of using SAST and DAST together, check out my previous article Tech Debt is a security nightmare. Here's how to fix it.
What should you look for in a DAST tool?
DAST tools come with a variety of features, which can make it difficult to choose one. I'll discuss several criteria to think about when deciding which one is right for you.
OWASP Top 10
If you're serious about application security, then you know the importance of the OWASP Top 10. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. You want a tool that will provide the widest coverage for the Top 10. A good first step toward application security is to focus on these issues since they're the most common.
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Supported Application Types
DAST tools have been around for many years, but applications have been evolving at a breakneck pace. For this reason, you want to make sure that you select a DAST tool that has kept up with innovation and isn't going to have issues crawling your website. An outdated tool may struggle to find all the nook and crannies of your application if you have a Single Page Application (SPA), APIs, mobile, etc.
It's easy to introduce a new tool into your stack, but adoption can be a tough hill to climb. To ease adoption, look out for false-positive results. A false positive occurs when a vulnerability is incorrectly identified. False positives waste your team's time and eat away at your DAST tool's credibility. Over time, the team might start to ignore the alerts. To avoid this outcome, you want to choose a vendor who continuously improves its reporting accuracy through means such as machine learning.
Many vendors train their tools against open-source projects rather than private projects. However, if you're worried about how your data may be used, then the vendor's Terms of Service is a good place to start.
A DAST scan can take some time to complete (usually from a few minutes to hours, based on the size of your application). If you plan on integrating your DAST tool into your Continuous Integration (CI) environment—as part of a Shift Left strategy—then you'll want to choose a DAST scanner that's fast. Otherwise, you're going to bring your software delivery process to a crawl while developers wait for a DAST scan to complete, which is undesirable, given that one of the benefits of continuous code integration is to improve the speed of software delivery. However, if you plan on running DAST scans outside of your CI environment, either on-demand or on a schedule, then speed may not be a critical factor for you.
A Continuous Integration (CI) environment is where new code changes are continuously merged, built, and tested
Pricing models for DAST tools can vary based on the numbers of users, sites, and scans. The two that may influence your decision the most are the number of sites and the number of scans.
Number of Sites
A site is defined as a fully qualified domain name (FQDN), meaning mysite.com and blog.mysite.com count as two sites. You may need to choose your subscription plan the number of sites you plan to scan.
Number of Scans
The number of scans you need depends on how you plan to run DAST scans (either on a schedule or by integrating with your CI environment). For the latter, you'll probably want to choose a vendor that allows a high number of scans to avoid running into any usage limits. For extra comfort, some vendors offer unlimited scans.
The vendors we considered
Accunetix scans your web application and APIs for over 7,000 vulnerabilities, including SQL Injections, Cross-site Scripting (XSS), misconfigurations, unpatched software, weak passwords, and exposed databases. Accunetix claims to have a low false-positive rate and calculates a confidence score so your team can focus on threats that matter.
Advantages: Supports modern web applications, low false-positive rate
Disadvantages: Premium subscription needed for features like cloud hosting and CI integration, limited Mac OS support for on-premises option
Detectify is a web application scanner powered by ethical hacker research. It uses crowdsourcing to find new, undocumented vulnerabilities that go beyond the OWASP Top 10. Detectify offers an API so that you can integrate with tools like Slack, Jira, Trello, and PagerDuty.
Advantages: Crowdsourcing for new vulnerabilities
Disadvantages: Weak integration with CI environments
Netsparker can scan web applications and APIs regardless of the technologies, frameworks, and languages used. It has a built-in vulnerability assessment to help you decide which issues to prioritize. Netsparker provides documentation for every vulnerability it finds so that a developer can easily reproduce the bug and quickly find a solution.
Advantages: Broad support for different application types, proof of vulnerability
Disadvantages: Only supports Windows for on-premise solutions
Rapid7's InsightAppSec can scan modern web apps and APIs for OWASP Top Ten vulnerabilities, over 95 attack types, and best practices. The scans generate documentation for reproducing the vulnerability so that developers can test their fix without running another scan; Rapid7 calls this feature "Attack Replay." InsightAppSec has an API for managing scans and vulnerabilities. InsightAppSec has allows for continuous integration with Jenkins, Azure DevOps, and Bamboo, but you'll need to integrate other CI tools using their API.
Advantages: Quick setup, Attack Replay
Disadvantages: Limited integration with CI environments
StackHawk, which can scan Single Page Apps, Server Side HTML, and APIs (REST and GraphQL), was built with DevSecOps in mind. StackHawk not only quickly delivers accurate scans to keep up with the rapid pace of modern software teams, but it also helps to quickly remediate vulnerabilities. When a vulnerability is found, StackHawk provides instructions for reproduction and steps for remediation. StackHawk is powered by the open-source ZAP project, which has a strong reputation as a security scanner.
Advantages: CI integration, GraphQL support, fast security scans, Customer Support
Veracode Dynamic Analysis supports a wide variety of frameworks and application types, including Single Page Applications, HTML5, Angular, and ReactJS. It has over 40 integrations to help provide a seamless experience across your Software Development Lifecycle (SDLC), which encourages process security and faster remediation.
Advantages: Integration with over 40 tools, part of the suite of other Veracode application analysis products
Zed Attack Proxy (ZAP) is a free, open-source web app scanner that is maintained under the Open Web Application Security Project (OWASP). It is widely trusted and powers some of the newer DAST tools on the market. Because it is an open-source project, it isn’t as easy to use as some commercial offerings, but its functionality can be extended through the add-ons available in the ZAP Marketplace. ZAP also offers an automation framework that can be integrated with your CI environment using either Docker or GitHub Actions.
Advantages: Free (open-source), ZAP Marketplace add-ons, Automation
Disadvantages: Time-consuming setup, limited integrations
|Vendor||API Scanning||API access||Free Trial or Free Account|
Zed Attack Proxy (ZAP)
DAST at Trustpage
As we continue to add tools to our arsenal, we strive to do so mindfully. Oftentimes, having too many tools can be a headache because there are more logins and passwords to manage, additional entry points into your systems, and more things to monitor, all of which can prohibit your team from moving fast.
After evaluating several vendors, we selected ZAP as our DAST tool. There are some good commercial products on the market, but they have few differentiating features. ZAP offers a simple yet elegant solution that alerts the members of our engineering team about security bugs in GitHub—a tool they use every day—and we are confident that ZAP will help Trustpage streamline application security in a cost-effective manner.
Consider adding Dynamic Application Security Testing to your company's Trust Center today.
Jay Lloyd is the Lead Evangelist at Trustpage. After work, you can find him on his Peloton. He lives in Detroit.