Invicti Shows the World How to Do DAST

The importance of dynamic application security testing (DAST) grows every day and many vendors now offer products that all make very similar claims. Invicti founder Ferruh Mavituna talked to Paul Asadoorian about the DAST market today, Invicti’s vision, and what makes a true DAST solution.

Invicti Shows the World How to Do DAST

Ferruh Mavituna on Security Weekly at Black Hat USA 2020

During Black Hat USA 2020, Invicti founder Ferruh Mavituna talked to Paul Asadoorian about the DAST market and what makes a true DAST solution. Watch the full interview below and read on to learn more about Invicti’s unique vision and market position.

What Makes a Good DAST Tool?

Dynamic testing is the only universal approach to web application security testing in the real world, so vendors in the web security space are keen to have a DAST solution in their portfolio. For customers who are in the market for a web application security scanner, the messaging coming from different vendors looks much the same: high accuracy, low false positives, fast and scalable scanning, and so on. So what should you look for in a DAST solution?

Scraping off the marketing language, the fundamental job of a DAST tool is to help developers and security professionals find and fix web application vulnerabilities. To do this automatically, you need maximum test coverage. This starts with finding all the points you need to test, because without accurate asset discovery, you will never get good coverage. Once you know what to test, the tool then needs to find all the vulnerabilities in the identified assets, which is where the real testing begins.

Crucially, a good DAST solution balances 3 requirements: maximizing performance, finding vulnerabilities, and minimizing false positives. Finding the sweet spot is vital to ensure that a product is truly useful and effective as a tool for improving web application security.

The Challenges of Modern Web Applications

Web application security scanners started as relatively simple tools to automate parts of the manual penetration testing process. As websites and web applications grew more complex, basic automated testing could not keep up with new web technologies and development paradigms. This stage of DAST evolution was the source of lingering misconceptions about the limitations of dynamic testing tools.

Modern web applications can be hugely complicated, with multiple layers of frameworks and libraries between the source and the code that is rendered by the browser. To even consider testing them effectively, you need to implement an engine based on a real browser (like Invicti does) to ensure that you have the same picture as the attacker.

Business websites and applications often require user authentication, which is a major stumbling block for less advanced dynamic application testing tools. To get any kind of useful test coverage without extensive manual configuration, you need to support automated authentication for all the major industry standards – not a task for the faint-hearted.

The Key to Making a True DAST Solution

Web application security is such a complex and dynamic field that there is no quick and easy way to build a DAST solution. The only way to achieve high accuracy and coverage in vulnerability scanning is through constant innovation over many years of relentless improvement and development based on research and feedback from real-life use cases.

The vulnerability scanning capabilities in Invicti products have been under constant development since 2006. Invicti engineers maintain a huge test environment that covers all the functionality and vulnerability checks added to the product since the very beginning. Innovating in DAST is our core business and the whole company culture is built around it.

Many other vendors offer vulnerability scanning as an add-on feature to their main security product. We call these “DAST-lite” solutions – they can find basic vulnerabilities in simple applications, but can’t match the coverage and accuracy of a dedicated tool.

We Don’t Take “No” for an Answer

The commitment to constant innovation in vulnerability scanning is what sets Invicti apart from the crowd. If a customer has problems with scanning a particularly complex website or application, we see this as an opportunity to improve our product. We never say “It can’t be done” – because we know it can.

Working with the customer, our support team and developers find ways to improve performance, coverage, and accuracy to complete the scan and allow the customer to start fixing vulnerabilities. All these real-life use cases add to our expertise and translate into new features and improvements in performance and automation. Every new scanning scenario is added to our internal test environment to ensure that we are always on the cutting edge of web application security testing.

Shaping the Future of Web Application Security

In theory, dynamic web application security testing is simply about balancing the 3 pillars of coverage, accuracy, and performance. Achieving this in practice requires overcoming massive technical challenges, so many vendors don’t even try. 

Invicti is far more than just another vulnerability scanner – it’s a unique, automated security testing solution driven by non-stop innovation. Customers often have low expectations of traditional DAST and don’t even consider it as a serious option, especially for large-scale environments. When they see Invicti in action and learn about the benefits of effective automation and workflow integration, they change their mind immediately.

A modern DAST solution should find all vulnerabilities and help you to quickly and measurably improve the security of all your websites and web applications. If in doubt, simply ask the vendor – and don’t take “no” for an answer.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.