What is DAST?
The term “Dynamic Application Security Testing” or DAST for short describes a procedure for checking the security of web applications. Special programs simulate external attacks to reveal weaknesses. The system has various advantages and disadvantages.
Loosely translated, DAST means something like “dynamic security test of applications”. Specifically, a scanner connects to the application in question and simulates external attacks while it is running. Hence the term “dynamic” comes from.
Since the application is attacked from the outside, DAST is a black box process. The code itself is invisible to the testing software. As a rule, both static ( SAST ) and dynamic tests are therefore carried out in order to ensure the best possible security.
With the focus on WebApps and their function, the system works regardless of the language in which it was developed. It is therefore possible for the developers to test for the typical problems with the common tools. The benchmark project of the OWASP offers suitable assistance for the selection of the scanner for your own project . This evaluates the performance of the individual tools in relation to the specific application background.
Advantages of Dynamic Application Security Testing
The DAST process has the following advantages, in addition to the fact that the programming language is irrelevant and the system consequently functions independently of technology:
- The scanners find errors in the runtime environment.
- The rate of false positives is low.
- The tools find faulty configurations in basically functional applications. For example, you can identify performance problems that other scanners cannot.
- The DAST programs can be used both during development and afterwards.
The scanners are basically based on the same concepts that real attackers use for their malware. They therefore provide reliable feedback on weaknesses. Tests have consistently shown that the majority of DAST tools can identify the top 10 most threats listed by the OWASP Foundation.
Disadvantages of Dynamic Application Security Testing
The DAST concept has to struggle with the following weaknesses:
- Hardly scalable: The scanners are programmed to carry out certain attacks on functional web apps and can usually only be adapted by security experts. They therefore offer little space for individual scaling.
- Slow scan speed: DAST tools can take five to seven days to complete.
- Late in the life cycle: DAST programs find some security holes very late in the development cycle that could have been discovered earlier via SAST. The cost of fixing the related issues is higher than it should be.
- Based on known bugs:It takes a long time for tools to scan for new types of attacks.
Conclusion: DAST scanners are only one component
The list of advantages and disadvantages of dynamic application security testing underpins what security experts generally say: Individual concepts are only the building blocks of a security concept. DAST, SAST or other testing approaches can not only be used in isolation, but must interact.