The secret to getting results, not noise, from your DAST solution

Products for dynamic application security testing (DAST) vary widely in quality and capabilities. A low-quality tool that merely ticks a box will do little to improve security and may generate more work than it saves. But a mature, high-quality solution can bring measurable security improvements and serve as a solid foundation for your entire AppSec program, as our infographic shows.

The secret to getting results, not noise, from your DAST solution

Scanning is easy – getting good results is not

A generic product pitch for your average DAST tool will tell you that it is an amazing solution because it can run security tests automatically and scale to any number of scans in the cloud. But as any security engineer and penetration tester will tell you, automating security checks is easy – you just write a script that sends your test payloads however many times you need. Spinning up additional workloads on demand is a fundamental feature of cloud environments, so there’s nothing mysterious about scaling scanning, either. The real challenge lies elsewhere.

Vulnerability scanners have been around since the mid-2000s, so the basic concepts involved are well known in the industry. The web has changed greatly since then, however, and it is now a very different place in terms of technologies, application usage, and the sheer scale of web development. Instead of a handful of static websites, organizations can have hundreds of dynamic sites, applications, web services, and APIs.

The key thing to ask today is not whether a DAST product can run automatic tests because they all do that by design. You need to ask if it finds real vulnerabilities and gets actionable results to the right people in time to make a difference – and this is where legacy solutions fall short.

Filtering the noise out of vulnerability scanning

Automation can be a real game-changer, but it is always a double-edged sword – if done badly, what should be a force multiplier merely becomes a work multiplier. Vulnerability scanning consists of multiple stages, and without expert care and attention, every single one can introduce noise that builds up into a flurry of vague signals and false positives. We’ve prepared a detailed infographic to show this, but here are the main steps in a nutshell:

  1. Crawl: Find all the URLs for testing
  2. Identify attack surfaces: Find all the different places to test for each URL from Step 1
  3. Attack: Run security checks on surfaces identified in Step 2
  4. Analyze reactions: Decide which test attacks from Step 3 have uncovered vulnerabilities
  5. Report results: Present data from Step 4 to the user

The real challenge is to fine-tune every step of the process by knowing what security checks to use, where to send them, how to automate testing safely, and how to interpret and present the results that come back. The ability to minimize noise at each step is what makes the difference between a deluge of suspected issues that all need to be checked manually and a set of actionable vulnerability reports.

Maturity makes all the difference

There are no shortcuts to getting a DAST tool to that level – only years of accumulated expertise, cutting-edge research, and tireless development. With well over a decade in the vanguard of vulnerability scanning technology, Invicti comes with security checks honed to a level where over 94% of exploitable high-impact vulnerabilities can be confirmed automatically by Proof-Based Scanning with 99.98% confidence. Invicti also integrates out-of-the-box with popular issue trackers, collaboration platforms, and CI/CD systems to ensure that security defects are found and fixed as a routine part of application development.

See our infographic below to learn how a modern DAST solution such as Invicti optimizes every step of the scanning process for accurate results – and why less advanced tools are doomed to flood users with false positives.

Infographic: Netsparker with Proof-Based Scanning vs legacy DAST

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.