More than a box to tick: Meet the real DAST

The proliferation of application security testing tools in the last few years has created a lot of confusion. For some buyers as well as vendors, DAST has been erroneously relegated to a checklist item with more consideration for low cost over quality. The resulting race to the bottom is creating risk in organizations that security leaders may not be aware of. Time to set the record straight on business-critical DAST versus “check-the-box” DAST—with an infographic to show what’s what.

Navigating the DAST maze

First things first: dynamic application security testing (DAST) covers all types of security testing done on a running application, whether manual or automated. But in cybersecurity jargon, “DAST tool” is a common term for a web vulnerability scanner—and because these vary widely in maturity, purpose, and effectiveness, things can get confusing. Generalizing a bit, there are three informal categories of DAST tools:

• Pentesting scanners: Single-user scanners designed for ad-hoc scanning to find potential issues for further manual testing
• Basic automated scanners: Legacy products that often struggle with modern web applications, leading to low-quality results
• Comprehensive DAST solutions: Dedicated products designed for automated vulnerability testing and constantly maintained to keep up with current web technologies

Which type of tool is right for you depends on your specific use case. For example, a scanner that does the job perfectly well for a penetration tester might flood developers with false positives if you try to automate it into the pipeline. Conversely, a full-on enterprise solution with automation and integration might be overkill if you only need to scan one site. But looking beyond specific product categories, there are only two types of DAST tools: those critical for your application security and those that merely tick your “DAST” box.

The checkbox trap

Vulnerability scanning is not only a best practice but often an explicit compliance requirement. When seen alongside all the other requirements, DAST can get relegated to a checkbox that needs ticking, regardless of scan accuracy or usefulness for your specific organization. This can be especially tempting when DAST is bundled cheaply with other cybersecurity tools, or when someone says “let’s just use an open-source scanner, it’s free.”

The checkbox approach to DAST leaves organizations vulnerable and increases their risk profile while giving a false sense of security. After all, we have DAST, so we’re good, right? Well, no—the whole point of security testing is to find and eliminate vulnerabilities. Merely having a tool doesn’t improve your security. Neither does running scans that don’t find anything. And neither does getting vulnerability reports that are useless for remediation.

DAST that works as advertised can change your entire application security game. DAST that doesn’t can be worse than no DAST at all.

You can’t automate inaccurate results

The fundamental challenge with automated dynamic testing is ensuring accuracy at every stage of scanning. If the crawler isn’t accurate enough, some targets won’t be tested at all. If the scan engine isn’t advanced enough, the targets that do get tested might slip away with undetected vulnerabilities. And if the reporting and prioritization aren’t up to par, users may be flooded by false positives and other non-actionable alerts.

With ineffective crawling and testing, the scanner will report too little or nothing at all, potentially creating a false sense of security. You might think that the scanner hasn’t found any vulnerabilities because your app is so secure when, in reality, nothing was found because most of the app wasn’t tested. This is a typical problem with legacy tools that can’t cope with modern authentication requirements and JavaScript-heavy dynamic applications.

Once the scans are complete, accurate reporting means presenting the user only with relevant findings. With a pentesting scanner, returning lots of uncertain results might be useful during ad-hoc manual testing but is poison for any automation attempts. Having a security expert sift through dozens of suspected vulnerabilities is one thing, but asking developers to do this, especially in automatic tickets, will cause them to start ignoring security issues after the first few false positives.

Far from being a saving, taking shortcuts to check the DAST box can cost you time and money for no material security improvements.

There’s no such thing as a free DAST

Automated web vulnerability testing requires years of non-stop research, development, and maintenance to get exactly right on real-life applications and tech stacks. This means not only frequent updates to security checks but also constantly refining the scanner and its configuration options to make sure it works across a variety of unique application environments. And unless somebody else is putting all that work into the product, you could find yourself footing the bill for trying to do it internally.

One issue with check-the-box bundled scanners is they are often unmaintained and treated as a sideshow by the vendor, leaving your teams scratching their heads to get scans working and somehow integrate the tool into their workflows. As an example, a tool that is technologically ten years old will struggle when confronted with SSO authentication, at best requiring manual hand-holding to authenticate the scanner and at worst completely failing to crawl and scan pages that require authentication—leaving you with lots of working hours wasted.

The same goes for workflow integrations. Because they are not designed with automation in mind, basic DAST tools require lots of work on building custom integrations and fragile data ingestion scripts. And after spending time and money on integrating them, you might find that the results now being pumped into your systems are unusable, again resulting in wasted effort with little to show for it. 

Getting value from DAST

Every organization needs a DAST tool to scan its applications for vulnerabilities in production, development, or both. When choosing the solution that’s right for you, ask not only about the upfront cost but also the time and cost of getting measurable value out of it. For DAST in particular, vendor support can make or break your scan effectiveness and time to value. To act as a critical pillar of your application security program, DAST needs to be set up as quickly as possible, fine-tuned to safely scan every corner of your application environment, and deliver actionable reports for remediation.

Ultimately, it’s the difference between “Here’s the tool, deal with it” and “Let’s get you finding and fixing vulnerabilities as soon as possible.”

Frequently asked questions