In cybersecurity, it can be tempting to fall into checklist mode, if only for the peace of mind of ticking off the compliance items required to minimize security risk. In web application security specifically, some organizations still treat a periodic manual penetration test or vulnerability assessment as sufficient to tick their “application security testing” box – but is penetration testing enough to truly cover that area? And what about all the automated testing methods out there (aka the AST zoo)?
This post attempts to clear up some of the confusion around the relative merits of automated and manual approaches to dynamic application security testing (DAST) – and show that it’s not an either-or proposition.
Strictly speaking, all types of security testing that probe a running app from the outside (black-box testing) qualify as DAST, whether manual or automated. In practice, the term DAST usually refers to automated vulnerability scanning, while manual black-box testing is called penetration testing (or pentesting for short).
Difference #1: Web asset coverage
When testing to determine your actual exposure to attacks, ideally you need to know and test your entire web attack surface. While penetration testers are theoretically able to test any asset that might also be available to attackers, manual testing is time-consuming and in practice usually limited in scope to a smaller subset of your environment. This could mean only testing business-critical apps or focusing on new and changed assets.
A good quality DAST tool, on the other hand, can run automated scans on any number of assets – preferably on your entire web environment. Similar to pentesting, DAST can find not only vulnerabilities resulting from security flaws in your own code but also vulnerabilities in third-party libraries and APIs, as well as purely runtime issues like security misconfigurations and vulnerable tech stack components. This is in contrast to static application security testing (SAST), where you are analyzing source code without running it, so you can only uncover potential vulnerabilities – and only when you have the code.
Difference #2: Speed and cost
Apart from practical limitations of scope, penetration testing is far slower than a DAST scan, both in terms of actual time taken and in terms of process efficiency. Every test you run has to be commissioned in advance and carries an associated cost, so relying purely on pentesters for application security testing can get cumbersome and expensive. And if you’re unable to test everything, and test it often, the time gaps between pentests can translate into gaps in your security posture.
With an accurate DAST solution under your belt, you can run what amounts to basic automated pentesting as often as you need; some Invicti customers scan their entire environment on a daily schedule. Whether in production or development, you can run scans whenever you want at no additional cost and without waiting on anything or anyone. This is especially important in an agile DevSecOps process, where stopping a sprint to wait for security testing results is not a realistic option. Because a scanner mainly finds what pentesters would consider obvious vulnerabilities, fixing these simpler issues is much faster than, say, addressing a major security flaw in business logic.
Difference #3: Depth and breadth of testing
There’s no question that an experienced pentester can go deeper and exploit more complex security vulnerabilities than any automated tool ever could. But, again, this takes time and cannot be applied equally to your entire web environment. In fact, that’s not the original purpose of pentesting – as the name implies, a penetration test is primarily intended to check if it’s possible for anyone to break into a system, so it doesn’t provide a full picture of your security.
You can think of a DAST solution as a way of setting and maintaining your security baseline. A good vulnerability scanner can run hundreds of automatic security checks per web asset and (if set up properly) do it across your entire environment at a scale and speed unattainable with manual testing. In fact, most penetration testers start work by running a vulnerability scanner to see what they’re working with and where to focus their efforts. In addition, with a mature solution like Invicti, the automated tests incorporate years of security research expertise across multiple web technologies and attack techniques, going far beyond the skill set of any single tester.
Difference #4: Ease of remediation
Finding security gaps is the short-term goal of security testing – but the long-term goal is to fill those gaps. Pentesting focuses on finding ways into your applications, so while the results of a penetration test provide information about the current resilience of an IT environment, they might not make it any easier to address the identified issues. This is especially true when testing originates in the sphere of information security with little to no integration with application development teams, who simply get a report about exploited vulnerabilities and are left to their own devices to fix them.
While many DAST tools can be equally unhelpful, especially when run as standalone scanners, some DAST solutions are designed specifically to integrate with the software development life cycle (SDLC) and aid remediation. In the case of Invicti, this starts with a rich set of out-of-the-box integrations with popular issue trackers, CI/CD pipelines, and collaboration platforms. To ensure that automated workflows are not flooded with false positives, Invicti uses proof-based scanning to automatically verify the majority of common vulnerabilities. That way, developers get confirmed and actionable tickets directly in their issue tracker – each complete with detailed technical information and remediation guidance.
Difference #5: Types of vulnerabilities found
Both DAST and pentesting will find many of the same fundamental web vulnerabilities, like SQL injection or cross-site scripting (XSS) – but that’s where the similarities end. Manual testers, whether pentesters or bounty hunters, excel at finding business logic vulnerabilities that automated scanners can’t detect because they don’t understand application logic. This includes such security flaws as insufficient authentication or authorization, where a certain resource is accessible to an attacker even though it shouldn’t be. Penetration testers can also use their expertise and intuition to combine multiple vulnerabilities into complex chains to mimic real-world attacks.
Where a DAST solution can’t improvise like a human, it wins out on persistence, consistency, and sheer volume. If you have several dozen XSS vulnerabilities across your environment, for example, a penetration test might only report a handful of them and leave it to your developers to find and fix all similar input sanitization failures. A good DAST scanner, on the other hand, will report most or all of these security issues, providing your development teams with an actual task list rather than general recommendations. DAST tools also come with a far greater variety of test attacks and payload varieties than could be realistically used in purely manual testing – and again, they can throw them at any number of assets.
Keeping your web apps and APIs secure goes beyond DAST vs. penetration testing
Cyberattacks are now a permanent feature of all cloud-based operations, and building up resistance is crucial to prevent them from becoming data breaches. As application architectures and deployment modes get ever more distributed and complex, it’s no longer enough to rely only on perimeter defenses like web application firewalls – first and foremost, the underlying application itself needs to be secure. Any AppSec program worth its salt should incorporate a layered and comprehensive approach to security testing, using the right testing methods at the right time to minimize the number of application vulnerabilities at every stage of development and operations.
DAST solutions are unique among AppSec testing tools in that they can cover both information security (to scan your organization’s own attack surface) and application security (to test the apps you’re developing and running). Combined with the sheer scale of testing and the ability to test all web assets regardless of tech stack or access to source code, this makes DAST a foundational component of any cybersecurity program. Use DAST to bring testing in-house and fix everything you can, and only then call in the security experts and ethical hackers as part of a penetration test or bug bounty program.
As a final thought, remember the recent MOVEit Transfer crisis? (If not, we’ve covered it here and here.) The resulting attacks that ultimately affected hundreds of organizations were only possible because malicious hackers combined several simple and normally inaccessible vulnerabilities into a devastating attack chain. Just like a penetration tester, the attackers used their human ingenuity to devise an attack path – but if those basic vulnerabilities had been found by automated scanning at earlier stages of the development process, all those MOVEit Transfer data breaches might not have happened.