Ferruh Mavituna on Enterprise Security Weekly #188
In a recent interview on Enterprise Security Weekly, Invicti founder Ferruh Mavituna talked to Paul Asadoorian and Matt Alderman about the most common myths that persist about DAST. The discussion also highlights the true capabilities of state-of-the-art DAST products and shows why they can be the only practical solution to real-life web application security challenges.
Myth #1: DAST Is Limited
In the early days of web application security, code analysis (static application security testing, or SAST) and manual penetration testing were the dominant approaches. The first DAST tools were created as an aid to manual testing, not as standalone solutions. Working as a web penetration tester back in 2006, Ferruh used some of the early DAST products as part of his toolkit and was frustrated with the gaps and limitations he could see. This led him to build his own improved DAST tool, which later became Invicti.
As Matt says, early DAST could scan “a mile wide and an inch deep” – you could scan many assets to see what you’re working with, but for detailed analysis, you had to rely on manual inspection. This led to the misconception that only SAST can provide good testing coverage because you can check all the code. While this is true for many other development tests, good coverage in security testing means checking for what is actually exploitable. For that, you need to test a running application.
The truth is that with advanced crawling and authentication, modern DAST solutions can go very deep – much deeper than most people expect. Combined with asset discovery, this now allows organizations to use DAST both as a standalone web application security solution and as a valuable part of an existing toolkit.
Myth #2: DAST Is Not Accurate
With just a few years of development behind them, early DAST tools were limited not just in scope but also in accuracy. They found only simple vulnerabilities and were prone to false positives (false alarms), so they were only useful as an additional check during a manual vulnerability testing process. Many vendors decided to focus on developing SAST at the expense of their DAST tools.
On the other hand, Invicti (then still called Netsparker) was already focused on improving all the shortcomings of early DAST. It now finds a wide range of vulnerabilities, including some complex ones that even a less experienced pentester might miss. To deal with the problem of false positives, Ferruh developed Proof-Based Scanning to show with 100% confidence which issues are real and not false positives. Combined with continuous development since 2006, this has placed Invicti miles ahead of most DAST competitors in terms of accuracy and reliability.
Myth #3: DAST Does Nothing That a Human Can’t Do
The first vulnerability scanners existed only to automate some of the tasks of a penetration tester. As the scale of web application deployments grew beyond all expectations, it became clear that even with the best tools, purely manual testing simply won’t cut it at scale.
DAST is not intended to replace penetration testing, because there will always be advanced vulnerabilities that only a human can find and understand. What DAST can do is fill in the gaps wherever penetration testing is not available or possible:
- Manual testing will never give full coverage in modern web applications and APIs, especially if you add time and resource constraints.
- DAST can run any time of day and night, as often as you need. This is vital for continuous integration pipelines, where you can’t organize a penetration test for every single build.
- A good DAST scanning configuration incorporates the expertise of top security researchers and penetration testers and makes it available not just to security professionals but also to developers and non-technical staff.
- An automated tool can include multiple configurations for a wide variety of environments, frameworks, and languages that the average pentester might not always know or be prepared to test.
- DAST is much faster than manual testing. With advanced solutions like Invicti, you run a scan today and tomorrow you know with 100% confidence how many exploitable vulnerabilities you need to address, even if you’re working with hundreds of web assets.
Myth #4: You Don’t Need DAST When You Already Do Other Testing
The cybersecurity market is dominated by established network security and SAST vendors, so the message that many customers are getting is that web application security is no big deal, just another thing to check. The truth is that many of these vendors missed the boat in the early 2010s when the world started shifting to web technologies and the cloud. Here and now, they are playing catch-up to dedicated DAST vendors.
Web application security is a complex and dynamic field of cybersecurity, and with cyberattacks and data breaches on the rise, the stakes are high. A high-quality DAST is a practical necessity for any organization that takes its web application security seriously. Crucially, this applies to all organizations, no matter if they have a mature web security program or are just starting out.
Penetration tests and bug bounty programs to find exploitable vulnerabilities, SAST to check source code, SCA (software composition analysis) to check open-source libraries – these are all valid and effective approaches to improving web application security, but not everyone can use them. A good DAST solution can provide an easy and effective starting point for organizations that need their first web security tool. Even more importantly, it can complement and amplify other security initiatives that are already in place. For example, with bug bounty programs, checking a new application release with a high-quality vulnerability scanner before opening it up to the bounty hunters can bring measurable savings in bug bounty payouts.
Myth #5: DAST Is Just About Scanning
Even as DAST tools improved over the years, most of them remained focused squarely on vulnerability scanning. At the same time, websites and web applications became more complex and their numbers grew to the point where a large organization can easily have several hundred websites. If you scan 500 websites and find 10 issues for each (which is a typical average), what do you then do with the 5000 results? This is the most serious web application security challenge faced by enterprises.
The ultimate goal of web application security is not to find vulnerabilities but to resolve them. There is no question that DAST is the only practical option when you need to secure hundreds of websites, especially with a small team. If you just have a scanner, there is no way to visibly improve the security of 500 websites in a realistic time-frame, let’s say a month. In fact, even if you had unlimited funds and resources, there is no service or product on the market that would allow you to do that. This is where Invicti comes in.
The key to web application security at scale is confident automation, where you work with proven scan results and automate everything you can. Invicti automatically verifies direct-impact vulnerabilities that are definitely not false positives, allowing security teams to focus on actionable, high-priority issues. When a critical vulnerability is found, Invicti can automatically add a ticket in the bug tracker, notify the developer, and later automatically retest the submitted fix. By eliminating uncertainty and unnecessary manual work, you can achieve what was previously impossible.
Reality Check: DAST Is the Future
The limitations of early DAST tools have left behind many misconceptions that linger on even after a decade. Modern DAST solutions are light-years ahead of the first simple scanners, but as in every market, quality varies. Invicti is unique as the only dedicated DAST solution that allows organizations to truly improve web application security at scale.
The world is moving to the web and analysts predict that by 2025, cloud products will make up over half of the software market. Web application security is the future of software security – and DAST is the future of web application security.