DAST tools are only as good as their setup and support

For all the differences between the DAST tools on the market today, scanner configuration and optimization can make or break any product. Even the best tool needs to be set up correctly to test every corner of your unique application environment – and to get there quickly and efficiently, you need rock-solid support from your vendor.

DAST tools are only as good as their setup and support

In the testing tool corner of the security industry, it’s easy to get caught up in comparing features, prices, and vendor claims across products and forget that tools don’t run themselves – they’re used by people who need to get a job done. Especially in the realm of dynamic application security testing (DAST), any scanning tool needs to be optimized to best match your unique environment and business needs.

The right setup and ongoing support can make a huge difference to the quality and usefulness of results. If your vendor can guide you through deployment and optimization, you will start seeing real value almost immediately.

Getting results and value in hours versus weeks

Proving the value of investments in security tools is notoriously difficult, especially when it comes to security testing. Without tangible results in a realistic timeframe, automated tools like DAST risk becoming a compliance item to tick off the list without regard to actual impact on security. Like any other tool, DAST needs to be set up correctly. If it’s not configured for your environment, even the best tool might miss some assets that should be getting tested – and a mediocre tool may find nothing at all because it can’t get in.

The combination of a good product, good setup, and good support is what determines the time to value. Even a technically good product that isn’t backed by the right support and documentation may leave your teams with a steep learning curve and many weeks of trial, error, and manual tweaking before you start to see value. But when product, setup, and support meet in the right place, your first security improvements could start coming in within hours of your first scan.

Common speedbumps in setting up scanning

At Invicti, we work closely with our customers, from initial onboarding to everyday support and feature requests for our industry-leading DAST solutions. Based on our experience, here are three crucial areas where less advanced scanners can stumble – and also where a few minutes of expert guidance can save many hours of DIY setup and exponentially improve the quality of your results:

  • Knowing what to test: Deciding on the scope of DAST scans is crucial to ensure you’re testing everything you need. Otherwise, whatever tests you run could be skipping critical assets, potentially leaving them vulnerable to attack. Invicti incorporates an asset discovery service and an advanced crawler to identify as many potential scan targets as possible. When set up properly, these pre-scan features show you your attack surface and help prioritize assets for testing.
  • Authentication: There are few web applications and even fewer APIs that are fully accessible without authentication and usually also authorization. Basic vulnerability scanners often struggle to access and test restricted assets or lack the automation features to scan them without user interaction. Setting up authentication is one of the first steps in bringing Invicti customers on board – and once set up, the Invicti solution can run authenticated scans fully automatically.
  • Performance and scope optimization: Getting a DAST tool working is only the first step to getting the best possible results from it. Each customer environment is unique, so the Invicti support team helps customers constantly optimize their setup to maximize performance and scope. This translates into faster scans, more accurate results, and often even customized solutions to scan bespoke applications that most scanners can’t test at all.

Going from scan results to actual fixes

For most DAST scanners, delivering the scan results is where the job ends, and anything after that is someone else’s problem. In fact, many users don’t expect a DAST tool to do anything more. But Invicti was built with automation and integration in mind, so its functionality also includes a wealth of workflow integration features that can be set up to efficiently feed scan results into an existing development pipeline. You don’t need security experts to run an advanced DAST solution – once set up and integrated into your workflows, it can run all by itself and be easily managed even by personnel who are not security experts.

Invicti customer support can help to gradually expand the scope of integration until DAST runs fully automatically as a silent coworker. At this stage, you are optimizing not only application security testing but your entire development and testing process. And with Invicti’s proof-based scanning and remediation guidance in vulnerability reports, you’re seeing clear security benefits with added confidence in the results, as real security vulnerabilities are found and closed with every ticket.

Read our case study to learn how much time Park ‘N Fly saves with integrated Invicti DAST

Shortcut to DAST success: Tag-teaming with your vendor

Nobody knows your application environment better than your own team, but nobody knows the product like the vendor’s team. The fastest road to success and value is to combine the two and have the vendor guide your internal experts through the setup and optimization process while relying on their intimate knowledge of the applications and process flows involved. That way, your employees can focus on doing their core jobs rather than setting up and optimizing scans. 

The right DAST backed by reliable onboarding and vendor support can be all you need to transition to an efficient and effective DevSecOps process. So when looking at DAST products, remember to ask about the onboarding process and vendor support – and when looking at Invicti, remember to ask about our Guided Success offering.

Zbigniew Banach

About the Author

Zbigniew Banach - Managing Editor & Technical Content Lead

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.