On The Dynamic Application Security Testing (DAST)

Mesut Oezdil
6 min readOct 7, 2024

--

Imagine you’ve just built an awesome new web app and are excited for users to try it out. But there’s one big question: How do you make sure it’s secure? That’s where Dynamic Application Security Testing, or DAST, comes in. Previously we have touched on the different phases of DevSecOps understanding, this week it’s time for DAST. It is a type of security testing that looks at your app from the outside — just like an attacker would. It simulates attacks by interacting with the running app to find vulnerabilities, without looking at the code. In other words, it’s like stress-testing your app to see where it might break. A note: All visuals below are my own.

Why Is DAST Important?

Think of your web app as a fortress. You use the best materials, build strong walls, and secure all the entrances. DAST is like sending someone to walk around those walls, push on the doors, and see if they can find a way in. It helps you find vulnerabilities that could be exploited in real life — things like cross-site scripting (XSS) or SQL injection.

The great thing about DAST is that it doesn’t require deep knowledge of your app’s code. It’s all about what an attacker might see and try to exploit. This makes DAST a perfect complement to other types of security tests, like SAST (Static Application Security Testing), which analyzes the source code directly. We covered this topic in detail last week.

Challenges of DAST

Like any tool, DAST has its challenges. It can struggle with apps that have complex user interfaces or are built with JavaScript-heavy frameworks, as it might have trouble navigating these to find security issues. For DAST to be effective, it needs good “spidering” — the ability to crawl through your app and understand all the pages and features.

DAST doesn’t require extensive programming knowledge, which makes it accessible for many users. However, it may not fully cover JavaScript-heavy frameworks because it can have trouble crawling them effectively. Running these tests can also be time-consuming. For developers working in fast-paced CI/CD environments, the key is to integrate DAST in a way that doesn’t slow things down too much.

How to Integrate DAST into CI/CD

Integrating DAST into your CI/CD pipeline is all about balance. You want security, but you also need efficiency — no one likes slow builds. Here are some best practices that can help:

Set Clear Limits: If a scan takes more than 15 minutes, it’s probably too slow for regular CI/CD runs. Focus on faster scans for daily testing and save the more in-depth scans for less frequent runs.

Spidering Matters: The effectiveness of DAST depends a lot on how well it can spider (crawl) your app. Good spidering leads to better vulnerability detection.

Create Separate Jobs: Create different jobs for each type of test, like SQL Injection or Cross-Site Scripting. This helps make the rollout of security testing more manageable.

Phase Rollout: Don’t overwhelm developers by rolling out everything at once. Start with critical tests, like SQL injection, then add more in phases.

Make It Developer-Friendly: Link to documentation or wiki pages from scan outputs so developers can easily understand and fix issues.

Fail on Critical Issues: Make the pipeline fail if critical vulnerabilities are detected. This ensures that nothing too risky slips through.

Control False Positives: False positives can be a pain. Allow local testing and control over what gets scanned to help developers weed out these false alarms.

Use Tools with APIs: Tools with APIs make it easier to automate and integrate scanning into your pipeline.

Avoid Big Frameworks: Keep it simple. Avoid using large frameworks for testing if they aren’t needed.

Everything as Code (EaC): Automate as much as possible. The concept of “Everything as Code” ensures tests are consistent, auditable, and measurable.

Tools to Get You Started

There are several popular DAST tools available, each with different strengths and trade-offs. Here are a few to consider:

i. OWASP ZAP: A great open-source tool for beginners. It’s user-friendly, with lots of community support. You can use ZAP to spider your app and then do an active scan to find vulnerabilities.

ii. Burp Suite: More advanced and often used by penetration testers. It can dig deep into web applications to uncover subtle issues.

iii. Nikto: Another open-source option that’s very comprehensive but not as user-friendly. It runs a variety of tests on web servers to find potential problems.

iv. Nmap: Mostly used for network scanning, but it can also spot vulnerabilities in your app.

Here’s a quick comparison of tool effectiveness

Tool/Maturity and Effectiveness: ZAP Proxy — 3/5 , Burp Suite — 4/5, Nikto/SSLyze — 3/5, Nmap — 4/5

Other DAST Tools

  • Best for security testing your web applications: OWASP ZAP
  • Best overall: Jit
  • Best for large-scale enterprises: Veracode
  • Best for integrating security testing into the development: Checkmarx
  • Best for leveraging AI-driven models and tools: Spectral
  • Best for finding and fixing vulnerabilities fast: Acunetix
  • Best for robust and comprehensive security testing: AppCheck
  • Best for automated vulnerability scanning: Intruder
  • Best for unified SCA and DAST in one platform: SOOS SCA + DAST
  • Best attack surface management for AppSec & ProdSec teams: Detectify

Remember: Always Test Locally First

When adding DAST tools, always test locally before pushing to the CI/CD pipeline. This helps catch basic issues early and reduces the noise during automated runs. The typical workflow involves developers testing locally, committing changes to the Git server, and then having GitLab CI/CD run the automated tests.

Baseline vs. Active Scans

When using tools like ZAP, you have two types of scans:

i. Baseline Scan: This is a quick scan that runs spidering for a minute, followed by a passive scan. It’s ideal for CI/CD because it’s fast and helps catch easy-to-find issues.

ii. Active Scan: This is more in-depth, running all available tests. It’s better suited for QA as it takes longer and does a deeper analysis.

Final Thoughts: Humanizing Security

At the end of the day, DAST is about giving developers the insight they need to keep their apps safe — without getting in their way too much. It’s about being proactive and finding weak spots before attackers do. Think of it as being your ethical hacker, checking your fortress walls before real threats come knocking. Remember, DAST works best when combined with other security measures, like SAST and regular security audits. It’s just one part of the bigger picture that keeps your app secure, efficient, and trustworthy.

Taking DevSecOps to the Next Level

If you need a training platform that makes this process easier and shows you all possible methods, here’s your opportunity! If you want to deepen your knowledge of DAST and improve your DevSecOps skills, there is a great opportunity to learn everything we have talked about here — like adding DAST to your CI/CD pipelines and working with tools like SAST and OAST. The Certified DevSecOps Professional course from “Practical DevSecOps” gives you a hands-on learning experience. Whether you are new to DevOps or have some experience, this course is designed for all levels and is easy to follow step by step. Ready to start?

Check out the course and sign up here: Certified DevSecOps Professional Course

If you are serious about growing your security skills and want to become an expert in DevSecOps, this course is perfect for you!

--

--

Mesut Oezdil
Mesut Oezdil

Written by Mesut Oezdil

On M3 (Mindful Monday Musings), I publish articles on DevSecOps and Cloud! Talks about #devops, #devsecops, #cybersecurity, #cloudtech, #awsdevops

No responses yet