How to choose a DAST solution: An 8-step evaluation checklist

DAST solutions play a critical role in application security testing. Being technology-agnostic, they can provide visibility into the security of complex modern web applications – but only if the product matches your unique needs. This post provides an easy-to-read checklist to help you ask the right questions when choosing a DAST tool.

How to choose a DAST solution: An 8-step evaluation checklist

Key takeaways

 

  • DAST solutions vary in their capabilities; this evaluation checklist aims to help businesses find the tool that best fits their needs.
  • Key selection criteria include visibility into all web assets, scan accuracy, the ability to scan complex applications and APIs, and streamlined remediation.
  • Beyond scanning capabilities, also consider product maturity, vendor commitment, and how easily DAST tools integrate into development workflows.

Dynamic application security testing (DAST) solutions perform a critical role in helping DevSecOps teams protect web applications against malicious attacks. By simulating attacks on running applications, DAST tools can quickly and automatically identify vulnerabilities that could otherwise go unnoticed until a penetration test.

Given the importance of security testing throughout the software development life cycle (SDLC) and in production, it’s vital to select the right tool for your organization’s needs. While most DAST solutions share common base features, specific capabilities set some products apart from the pack. Below are eight key points to consider when evaluating DAST tools – but why DAST in the first place?

Why do you need DAST?

“Think like an attacker” is one of the most important concepts in application security. DAST tools automate that approach, performing simulated attacks on running applications to mimic the ways that malicious users might seek to exploit vulnerabilities. A key advantage of DAST tools is that they don’t require access to source code, so they can be used to test web applications written in any language or mix of languages. 

DAST tools complement other types of application security testing products in an organization’s portfolio. These can include static application security testing (SAST) tools to analyze source code for vulnerabilities and interactive application security testing (IAST) tools that interact with running applications while simultaneously examining the application code to pinpoint security problems.  

8-step DAST evaluation checklist  

Every DAST solution – and every DAST solution vendor – is a bit different. Here are eight features to consider when evaluating a DAST solution to ensure that your organization gets exactly what it needs.

1. Visibility into all applications

Modern organizations have multiple websites and applications, with each containing multiple points of attack. Securing one application has only a limited value if you leave gaping security holes in others. Leading DAST solutions use information such as domain data and SSL certificates to perform web asset discovery across all your public-facing assets. Then they can scan the discovered websites and web applications for vulnerabilities.  

2. Scanning depth and accuracy

DAST tools crawl target applications to find and subsequently test all application inputs, each of which represents a potential attack point. But today’s web applications can be extremely complex, and not all DAST tools are capable of identifying every input. It’s important to choose a tool with a comprehensive crawling and scanning engine based on a full modern browser to interpret the application architectures and frameworks you use today or may use in the future, including all-JavaScript stacks. In addition, many applications include functions that are only accessible after login or other custom authentication. An inability to test those areas will leave security gaps, so closely scrutinize each DAST tool’s capabilities for authenticated scanning.     

3. API scanning

Many web applications today are built as a collection of microservices. They combine custom code with multiple open-source and other third-party components accessed via web APIs. Attackers increasingly target these APIs, which handle more than 80% of web traffic. Testing the APIs is therefore an essential aspect of application security. You’ll need a DAST solution that supports all the common standard API formats, such as WADL and OpenAPI, and is able to test for vulnerabilities exposed via those APIs. 

4. Streamlined remediation

Once DAST has identified vulnerabilities, it’s vital to address them quickly, especially in production. Look for DAST solutions that shorten time to value by providing actionable vulnerability reports to help developers fix issues without lengthy, cumbersome, back-and-forth exchanges with security teams. Some tools can provide detailed reports that help to isolate the root cause of each vulnerability, deliver proof-of-exploit evidence that shows you’re not wasting time on false positives, and recommend mitigation actions. 

5. Performance

DAST solutions must balance comprehensive scanning capabilities against performance considerations. It’s important to examine the potential performance impacts, depending on when you expect to use DAST during your organization’s development and production steps, so look for flexible scanning options to specify limits for testing depth and time. When integrating into the SDLC, an incremental scanning capability is a must to rapidly test and retest for specific vulnerabilities or across a limited subset of your environment. 

6. Compliance reporting

Web applications may be subject to a host of governmental and industry-specific compliance and security requirements. That’s especially the case for companies in industries such as financial services and healthcare. Ensuring that applications comply with regulatory requirements can be extremely time-consuming. DAST solutions that automate compliance reporting can help. If regulatory compliance is a concern for your organization, look for DAST solutions that automate reporting for standards such as PCI DSS, HIPAA, and ISO/IEC 27001. These reports can help the organization identify areas that need to be addressed as well as demonstrate that you have the security testing processes needed for compliance. 

7. Seamless integration

Any security product’s value depends, in part, on its ability to integrate into your development workflow. When it comes to DAST, there are three major areas of integration to consider. Firstly, you definitely need integration with industry-standard issue-tracking tools. The second area is integration with tools such as IAST, which helps developers to pinpoint the code that contains vulnerabilities. Thirdly, and more broadly, you need to look for integration with development and testing workflows. Simply put: the more seamless, the better. DAST solutions should include prebuilt integrations that let developers trigger DAST scans from popular CI/CD workflow automation tools such as Jenkins. They should also come with comprehensive and well-documented internal APIs that enable integration with other products when necessary. 

8. Product maturity and vendor expertise

It’s important to examine each supplier’s track record and market commitment because you’ll be relying on your DAST solution to perform accurately over the long term to help prevent potentially catastrophic security problems. How long has the product existed? Perhaps more than any other security technology, DAST solutions take years to mature. Can the vendor demonstrate existing successful case studies that are sufficiently similar to your situation and provide confidence that the tool will do what you need? Does the supplier provide frequent product updates that demonstrate its continuing commitment to enhancing the technology? A vendor that offers support and services in addition to its DAST solution is valuable for software teams who need to supplement their security expertise.  

Choose the DAST solution that works for your organization

DAST solutions are a practical necessity for any modern organization that runs and builds its own web applications, both to keep a watchful eye on production deployments and to help software development teams find and fix security issues early. The right DAST solution should provide a comprehensive set of features for testing application security – and it should also fit smoothly into your unique development and operations workflow. That’s why it’s essential to carefully investigate your options before making a decision.

Hopefully, this evaluation checklist provides a helpful starting point for your DAST tool research. For a deeper dive into what to look for, get Invicti’s free Web Application Security Buyer’s Guide.