Is DAST only for web applications? A fact-check on vulnerability scanning

The lines between websites, web applications, web services, APIs, and even mobile applications are becoming increasingly blurred. Web technologies are now the default choice for software development, with frontends talking to backends via APIs in complex distributed architectures and deployment models. When it’s hard to say exactly where “the application” begins and ends, finding a reliable way to test for security gaps requires tools and methods that can give you the big picture.

The challenge of “test everything we’re running, whatever it is and wherever it’s running” can only be handled through dynamic application security testing (DAST), which in its automated form is commonly called vulnerability scanning. In the process of probing the external attack surfaces of web applications for security gaps, today’s advanced DAST tools do far more than just test some web pages for XSS. When done right and integrated into your workflows and overall AppSec program, DAST is uniquely positioned to give you a realistic view of your security posture.

What is DAST used for?

DAST solutions are used to automatically test for application vulnerabilities from the outside in. Historically, they started out as simple scripts used to aid manual penetration testing by automating the process of trying out multiple variations of different attacks. Modern DAST products range from basic manual scanners, where you get a scan engine and not much else, to full-featured AppSec platforms that allow organizations to make security testing an integral and scalable part of their development and operations.

The outside-in approach to security testing makes DAST uniquely versatile, with major use cases covering both InfoSec and AppSec and including at least:

• Website vulnerability scanning
• API security testing
• Security testing in the SDLC
• Automated penetration testing
• Vulnerability assessment
• Regulatory compliance

When is DAST an appropriate solution?

Some form of application security testing is a non-negotiable requirement for any organization that runs and especially develops web applications—meaning practically every sizable company and institution in the world. Among the many complementary approaches to security testing, DAST has the distinction of being usable, useful, and scalable regardless of the technology stack, development status, source code availability, or deployment model.

Making a good DAST solution the centerpiece of your AppSec program can make the difference between being in control of your security and always fighting fires. For a start, integrating and automating DAST can give you a continuous vulnerability testing process that fills the time and coverage gaps in between periodic penetration testing. By running your own vulnerability scans already in pre-production and fixing identified flaws, you also get more value from pentesting and bounty programs by handling the “easy” issues internally. Finally, a high-grade DAST can verify exploitability, showing you which vulnerabilities need priority action while also acting as a fact-checker for static application security testing (SAST) and other findings.

Does DAST require a running application?

Dynamic testing is, by definition, performed on a running application or system. However, what may have been a DAST limitation in the days of monolithic codebases and extended deployment processes is often not a major problem today. With application frameworks and especially with containerized components, it’s common to have some kind of runnable app at most stages of the development and testing process, even if it’s not yet a full build. By using DAST at multiple stages of the pipeline, you can start security testing as early as practically possible while gradually extending coverage as you move closer to production.

Can DAST be used for more than just web applications?

Time to finally answer the title question and also confess to a little word trickery. Exactly what qualifies as a “web application” depends on your definition in a specific context, but the practical upshot is that DAST absolutely can and should be used to test any running software built with web technologies. So when you’re scanning a complex web app that has an admin panel website, exposes several APIs, internally uses dozens of web services, and communicates with a backend relational database—what are you really testing? With an enterprise-grade DAST, you can test all these parts of your application environment and more. 

Using DAST for API security testing

In theory, APIs—being specifically designed for automated access—seem like an obvious target for vulnerability scanning. In practice, it takes years of work to develop reliable security checks for APIs while also properly supporting all major specification formats. For the Invicti AppSec platform, API security testing is handled by a dedicated DAST module and (uniquely) also accompanied by comprehensive API discovery within the same platform.

Testing for server misconfigurations

Just as attackers will take advantage of any weakness they can find, DAST can probe your application environments not only for application-specific vulnerabilities like injections but also for security gaps in the way your servers are set up. This typically means analyzing server responses to flag security issues such as missing or incorrect security headers, but it can also include other security checks related to how the server is set up.

Finding database misconfigurations

Most applications are backed by some sort of database, so identifying database-related vulnerabilities such as SQL injection is the bread and butter of DAST scanning. Letting an attacker send commands to your backend database is bad enough, but really serious breaches happen when that database is insecurely set up and allows access to tables and operations that the application shouldn’t be touching in the first place. Advanced DAST security checks can reveal not only the injection points but also the consequences of insecure database server configurations. 

Scanning mobile application backends

While DAST doesn’t scan mobile applications directly on a local device, many of those apps are merely a mobile frontend for sending and receiving API calls to and from a backend that does all the heavy lifting. And because advanced DAST solutions can also scan APIs, you can use them to perform security testing on the backends and services used by frontend apps—including mobile applications.

Bottom line: Application security is far more than scanning web pages

Application security has come a long way since the piecemeal efforts and tools used in the past—and with so many critical business systems now living in the cloud, the stakes are also far higher. CISOs and other security leaders now acknowledge that nobody will ever hand them a complete and carefully maintained inventory of every attack point across their organization’s sprawling application environments, much less a detailed security testing report for each app and API. Instead, they are taking charge by finding technical solutions that let them and their teams find, test, fix, and continuously monitor their realistic web attack surface.

Dynamic security testing is the only practical approach that can provide this level of coverage and visibility, making a DAST-first application security platform such as Invicti uniquely suited for the job. With the industry’s most advanced and accurate vulnerability scanning engine at its core, the Invicti platform adds application and API discovery, software composition analysis (SCA), outdated technology detection, vulnerability management, workflow integrations, and much, much more to bring all your application security under a unified DAST umbrella.

Get a proof-of-concept demo today!