Apr 25, 22 10:20 am

Was this post helpful?

What is Dynamic Application Security Testing?

Apr 25, 2022
| by:
Sherif Koussa

Integrating Dynamic Analysis Into Your DevOps

Integrating dynamic analysis is a great way to capture low-hanging fruit in staging or production. It is an easy win on a vendor security questionnaire.​

What is Dynamic Analysis Security Testing (DAST)?

Dynamic analysis is the process of running a scan on the target system (such as a network, infrastructure, APIs, GraphQL, or otherwise) to find vulnerabilities, ideally before shipping the application. Dynamic analysis is a great way also to find any configuration issues, missing security headers, unnecessarily open ports, and other security issues that would manifest themselves only when the application is running.

One of the benefits of dynamic analysis is that it finds evidence-based security testing. Usually, the scanner would present evidence on why this is a security issue. In comparison, static analysis often finds theoretical vulnerabilities, which are not always exploitable vulnerabilities. 

The value of dynamic analysis is improved if it was integrated into the software development process, ideally into the Continuous Integration (CI) stage. 

How to Choose the Right Dynamic Analysis Scanner

Here are the three things you should look out for when choosing the scanner:

1 The Ability of the Scanner to Run in a Headless Mode

Automating dynamic security testing requires the scanner to be running in a headless mode. The scan should be easily scripted from your automation server. There are some great scanners out there but they only run in a desktop mode, meaning someone has to configure the scan and click a button. Those are not the best for integration into the CI/CD pipeline 

2 Coverage for Your Tech Stack

Not all scanners are created equal. Some are better for API or  Web-based applications (non-API powered), while others are ideal for mobile. A fourth option is great for infrastructure-based scanning. It is very rare that a scanner would be able to cover everything as efficiently. So prioritize your needs, and pick your scanner appropriately. 

3 Scanning Speed 

Nothing is more frustrating than a tool that delays the CI/CD run by more than 10-15%. Most scanners take hours to run, not minutes, which would introduce delays to the build process. Some newer scanners have the ability to scan parts of the application, which would speed it up. 

Comparing DAST to SAST, IAST, and RASP

SAST and DAST are often used in tandem. As a static analysis screening tool, SAST is better at flagging coding errors, while DAST is better at finding runtime errors. Using DAST alongside SAST solutions also helps to mitigate the high risk of false positives that SAST solutions tend to provide. 

Interactive application security testing (IAST) takes more into consideration for modern web and mobile apps than SAST or DAST solutions typically will. IAST combines aspects of both DAST and SAST in order to perform its analysis in real-time within the application and anywhere the development provides. IAST can also function in a continuous integrated environment, QA, or in the production environment. 

Run-time application security protection (RASP) is the most different from SAST, DAST, and IAST. Less of a testing tool, RASP is more focused on everyday security protection within the application by controlling application execution and protecting the app when it has been breached. In this way, it’s an excellent bonus tool in addition to security testing. 

See a deeper comparison of DAST, SAST, IAST and RASP here.

Was this post helpful?

We help DevOps teams at SaaS companies to build confidence in their application security.
Discover PTaaS
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Office

301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
Privacy Policy
© 2022
Software Secured