How to select a DAST scanner

Key takeaways

 

• As cyberattacks become more pervasive and sophisticated, organizations must do more than scan static code in web applications. They must simulate real-world app attacks to uncover gaps.
• A DAST scanner discovers web vulnerabilities and misconfigurations in running web applications, both in production and earlier in the software development life cycle.
• Modern DAST scanners can operate at multiple points of the development pipeline to support DevSecOps and a more robust cybersecurity model.

The complexity of web application security isn’t up for debate. Attack vectors are growing in number, code is expanding, and risks are mounting. So how can an organization continuously safeguard its applications throughout the software development life cycle (SDLC), given the impracticality (and prohibitive cost) of purely manual testing? The answer is to use dynamic application security testing (DAST) to automatically scan web apps and their external dependencies for exploitable vulnerabilities and misconfigurations that could lead to a breach.  

To be clear, a DAST scanner doesn’t analyze code. That’s the domain of a static code analysis testing (SAST) tool. Rather, a DAST scanner analyzes web application behavior by automating realistic attacks on a running application to discover security issues. Bigger-picture, comprehensive analysis of DAST data can provide valuable clues about how to improve not only security but also programming methods, DevOps processes, and much more.

The result is a stronger defense and a framework that revolves around application security being a truly continuous process.

A DAST scanner is an essential part of a cybersecurity defense model

As more organizations shift left, it’s critical that they catch vulnerabilities as early as possible in the application development process, paying special attention to those listed among the OWASP Top 10 web app security risks. These include issues such as SQL injection, cross-site scripting (XSS), authentication failures, and server-side request forgery. 

Depending on the product, it can also be possible to spot outdated open source libraries and frameworks that can serve as an entry point for attackers. These include JavaScript libraries, web development frameworks, and CMS deployments.

Using web crawling technology, a DAST scanner first maps the entire app to find all possible entry points. Next, acting much like a black-hat hacker, it automatically attacks every entry point and then reports any vulnerabilities and misconfigurations it detects. It can do the same for APIs, as well. Should more details be required to pin down a detected issue, a security engineer or penetration tester may be called on to manually reenact a test at a specific access point and investigate further.

What to look for in a DAST scanner

As with any type of technology tool, selecting a DAST scanner requires the proper due diligence. When evaluating DAST scanners, consider and compare the following features to select the one that’s right for your business. 

• Scan quality: It’s critical to look for a tool that can effectively reach across technology stacks, sites, domains, and APIs – and even spot lost, forgotten, or hidden vulnerabilities. A DAST scanner must operate in a technology-agnostic manner and reduce or eliminate false positives, for instance through automated confirmation. To completely and correctly render, crawl, and test JavaScript-heavy applications, any serious scanner must incorporate a full modern browser engine, such as Chromium.

• Scan performance: Top DAST tools complete scans faster and perform initial crawling tasks more thoroughly and accurately than subpar tools. Of course, speed is relative to the complexity of the web app or API being tested, so be sure to use the same test target for an accurate comparison across tools. DAST scanners also operate in a continuous and highly automated mode, even when accessing targets via advanced authentication protocols, such as OAuth2 and NTLM/Kerberos. They achieve superior results through combined signature-based and behavior-based scanning. 

• Deployment: Many organizations are making the move to the cloud, though some still prefer their software to reside on premises or even be a combination of both deployment options. A DAST scanner that can support either of those deployment models provides the most flexibility, especially as a business grows – along with its software needs. Hand in hand with deployment is having access to a customer support team for onboarding and integration assistance, training, and more.

• Integration: Best-in-class DAST scanners can integrate with other tools to deliver a more complete view of a web application environment. These can include interactive application security testing (IAST) tools, which can check code while running, and software composition analysis (SCA) to identify vulnerable open-source software components. The result is a security testing framework that can model actual user journeys across a broad array of environments and situations.

Another consideration is whether a DAST scanner is easy to integrate into various points in continuous integration and continuous delivery (CI/CD) pipelines. As organizations shift left, they are much more likely to detect problems earlier in the software build, integration, review, staging, and production cycles. In addition, a DAST scanner should integrate with SDLC tools from major vendors, as well as issue-tracking systems, project management tools, business communication platforms, and more.

• Automation: Ideally, a DAST scanner builds bridges between coders and security teams. Advanced DAST scanning tools can adapt to applications and deliver feedback to developers that guides them to writing more secure code. This aids in detecting and managing issues earlier in the SLDC while reducing vulnerabilities over time. Another important aspect of automation is the ability to send vulnerability information directly to a web application firewall (WAF), so that attacks on a production application will be blocked until the issue is remedied.

• Reporting: DAST scanners typically produce high-level summaries along with detailed reports that point to specific security issues and overall trends. This information can also be displayed on customizable, easy-to-read dashboards that highlight scan results during and after a vulnerability scan.

Final thoughts

The right DAST scanner can help an organization achieve a more holistic and comprehensive security model – one that evolves beyond a reactive approach and into the realm of continuous and efficient DevSecOps. The result is a more secure enterprise that’s equipped to deal with new risks and threats while maintaining the level of innovation that business demands.

For more information on how to evaluate DAST scanners, download Invicti’s free Web Application Security Buyer’s Guide.