How to choose your DAST Tool
Research / Posted January 20, 2022
If you’re unsure on what exactly DAST is, then before reading this article make sure to check out our Dynamic Application Security Testing (DAST) page to learn more about the subject.
Why do I need a DAST tool?
It is recommended to use a DAST tool for analysing web applications that you operate so that you can gain visibility into potential vulnerabilities and manage any subsequent risks to your platform or your customers’ data. In 2021 around forty percent of businesses and a quarter of charities reported experiencing cyber security breaches or attacks in the previous 12 months. [Cyber Security Breaches Survey 2021]
With more and more high-profile attacks coming to light, such as the widely reported SolarWinds hack, companies are tightening up their cyber security and investing in year-round continuous security testing using methods including DAST tooling.
With 71% of breaches being financially motivated and some of the big GDPR fines coming out lately it can really pay to invest in a DAST solution. Licence costs can be minimal compared with financial and reputational damage of a company being hacked.
What should I look for in a DAST tool?
There are a few things you should look for in a DAST tool, some that are universally recommended, and some that may depend on your organisation and its unique operating environment. Some of the features that AppCheck believes are most important to be included in your new DAST tool are outlined below:
A low number of false positives and false negatives
DAST testing is performed from a “black box” remote-access perspective, hence detected potential vulnerabilities are not able to be immediately verified by manually reviewing the code. This means that there is the potential for false positives (reported vulnerabilities that are not in fact exploitable). It is important that a DAST tool minimise the false positive reporting rate so that triaging and remediating vulnerabilities is as efficient as possible and reviewing scan results does not have an unacceptable level of overhead. However, it is equally important that a DAST tool deliver a low number of false negatives (failures to report a vulnerability that is in fact present), so that a scan result set does not deliver a false sense of security.
AppCheck greatly reduces the number of false positives and false negatives by attempting to verify detected vulnerabilities. It does this by gently probing targeted applications using safe exploitation techniques to confirm the vulnerability presence wherever possible.
A good DAST tool will include detailed reports which are easy to generate on an automated basis and include both a high-level summary for easy review, but are supported by a high level of technical detail where needed, which can be used to verify and track down the source of the vulnerability. Things to look for in a report are; grouping of findings by severity, full technical analysis, remediation advice and a simple risk-based explanation of findings that can be presented to and understood by upper management.
You can take a look at a sample report generated by AppCheck on our website. Better yet, sign-up for a free trial assessment and our team can talk you through the findings in your own critical IT assets.
Modelling user journeys
Unlike static analysis, a DAST tool runs online and targets an actively running application environment complete with environmental configuration and real application behaviour. Because of this, a DAST tool is able to replicate and step through user journeys to permit them to analyse context-dependent application behaviour, step through multi-stage forms or process flows, and to test application components such as admin panels that are hidden beyond log-in screens.
AppCheck automatically attempts to handle applications that require authentication and can also employ its signature GoScript feature to help you authenticate and navigate more of your site and increase the attack surface coverage. By implementing a browser based approach to testing that accesses targeted applications exactly as a regular user does, an enterprise tool like AppCheck can out-perform traditional DAST crawlers that rely on scraping HTML. This is a feature is especially essential for modern “Single Page” web applications built on frameworks such as Angular and ReactJS.
Breadth of Coverage
Coverage of all areas and components within your environment or application by your chosen security testing solution is key – one weak area can be used to undermine the security of your whole estate. Think of it like the physical security of your office building: you may choose to secure your building at night by ensuring that metal shutters are pulled down over the front entrance and windows… but this becomes redundant if you’ve simultaneously left the back door open. Attackers will often gain a foothold in an environment by finding a vulnerability in a legacy or neglected system or service, and then use that foothold to pivot their attack to other, more critical areas.
A key feature you should look for in your security scanning tool therefore is technology agnosticism, by which we mean that the tool is not restricted by which scripting languages and frameworks it supports and is instead able to test all web applications, independent of the server-side programming languages used to generate them.
Dynamic testing from “First Principles”
Some DAST solutions may be limited in being able to only detect known and published vulnerabilities known as “CVEs” by crudely “pattern matching” detected versions of software against a published vulnerability database. AppCheck, by contrast, detects security flaws by adopting a first principles methodology, meaning that it natively probes applications for vulnerabilities in the same way as a penetration tester does. It can successfully identify security flaws within applications and systems that are previously unknown and undisclosed, known as zero day vulnerabilities. This ensures that vulnerabilities can be detected in custom in-house code within an organisation, as well as third-party software. Our support team works directly with vendors to ensure that flaws are fixed and a patch is made available.
Automation and Frequency of Testing
A key benefit to DAST solutions is that they will often support the capability to schedule ongoing and periodic repeat scans of an application on a recurring basis, so that you can be constantly scanning your environment for vulnerabilities. This is key in minimising the so-called attack window between a vulnerability appearing on a website or service, and it being detected and resolved.
A good tool with allow you to schedule scans and re-test at no extra cost. While AppCheck recommends that automated DAST testing be partnered with an annual penetration test carried out by a human penetration testing expert, a DAST tool should be used throughout the year between penetration testing engagements on an ongoing basis.
Read our article on the importance of regular vulnerability scanning
Testing in the SDLC
In addition to testing your live site regularly, best practice is increasingly focusing on the capability to detect the majority of vulnerabilities even before they make it onto your production site. A DAST tool like AppCheck which allows for unlimited assessments and incorporates an API that can be easily integrated into your CI/CD pipelines means that code can be automatically scanned on pre-production environments every time a new release is prepared or delivered. Read more about vulnerability scanning in the SDLC.
A key deliverable of a penetration test of any kind should be to demonstrate the real-world impact of discovered vulnerabilities by leveraging actual attack payloads – though, critically, payloads that do not harm the target application or disrupt an organisation’s business processes or data. A DAST tool must therefore have the capabilities to safely exploit vulnerabilities and demonstrate the impact on the business should this be exploited. This type of feature can help security and technical teams to demonstrate the value of DAST testing to stakeholders of all levels.
If you experience any difficulties with your chosen DAST tool, is there someone you can turn to for assistance? Look for companies with a support centre in your operating region and time zone so you know that somebody will be on hand to answer queries when you need them most.
Vulnerability Management Workflow
Vulnerability scanning and detection is only one piece of the puzzle for security teams: it is equally important to be able to quickly triage, prioritise and remediate vulnerabilities that have been found before they can be exploited by an attacker. The ability of a DAST tool to seamlessly integrate into existing vulnerability management workflows within your organisation – or to allow you to swiftly and effectively spin up a vulnerability management workflow if one is not already in place – is therefore vital.
You should ask yourself:
Will my chosen DAST tool integrate with our existing workflow tools? Can assessments be conducted throughout the application life cycle from development to production? Can you assign vulnerabilities to specific staff for remediation? And does it include workflow management?
The rescan feature of AppCheck allows individual vulnerabilities to be retested following remediation to determine if an applied patch or fix has been successful. Each rescan adopts a first principles approach to ensure all known methods of exploiting a given vulnerability are tested for. This ensures the applied fix is robust and cannot be bypassed by the attacker. Remediation process is tracked and presented graphically to give an instant view of remediation efforts across the team.
DAST vs Manual Penetration Testing
Infrequent or limited testing can vastly increase the likelihood of a successful attack by leaving vulnerabilities unfixed for longer. This can mean that organisations that rely solely on annual penetration testing can be leaving vulnerabilities undetected and exploitable in their environment for up to 11 months between tests, which can present an unacceptable risk to the organisation.
While automated tools are becoming sophisticated enough to closely match the ability of manual penetration tests in terms of vulnerability detection, our advice here at AppCheck is to include both manual penetration testing and automated DAST scanning.
By using this approach, an organisation can leverage the ability to quickly detect newly introduced vulnerabilities by running frequent tests using their selected DAST tool, but gain the assurance of being able to back this up with a dedicated penetration testing engagement manually. Quite the opposite of being antagonistic, the two approaches can strongly compliment each other: the findings of the automated scanner can be used to highlight likely areas of concern for a penetration tester to explore further, and any specific findings from a penetration test can be used to “seed” future scans with problematic targets that require more in-depth focus. With AppCheck being so cost-effective a lot of our customers adopt this belt-and-braces approach for greater security assurance. It is also an approached recommended or mandated by various compliance frameworks including PCI DSS, ISO 27001 that many of our customers operate under.
“We still do manual testing in line with AppCheck but we rely on this much less and it brings the costs down considerably.” – Queen’s University Belfast
“We still run an annual penetration test but with the addition of regular vulnerability scans as the cost of AppCheck is so affordable. The two work great hand in hand and we ensure we are being as proactive as possible.” – North East London NHS Foundation Trust.
How to get your business to buy into a DAST tool
With such a large and diverse cybersecurity market, it can sometimes be hard to decide on priorities for how best to invest limited budgets or to choose areas of focus for delivering solutions that best address an organisation’s unique security concerns and to prove the value of DAST as ‘just another tool’ among many. However, as highlighted above, DAST tools can be extremely important to a business and deliver significant return on investment.
AppCheck can offer you a free trial scan of your environment and assets in order to identify areas where you might be vulnerable, to back up your case.
If you’d like a quote to back up your case, feel free to email us at firstname.lastname@example.org where an AppCheck representative can talk through our pricing options.
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380