Dynamic application security testing (DAST) is a method that focuses on identifying vulnerabilities in running web applications—usually in a test environment. DAST tools are programming language agnostic. This is the opposite of static application security testing (SAST) that concentrates on source code analysis.
A DAST tool accesses an application from the outside and runs tests that simulate an attacker trying to exploit it via the application user interface and its APIs. DAST tools can be used in both authenticated and unauthenticated states, allowing for testing of exposed application functionalities against vulnerabilities.
The tests include multiple types of attacks, such as cross-site scripting, SQL injection, arbitrary code execution, cross-site request forgery, and more.
To achieve comprehensive security testing coverage, DAST and SAST should complement each other as a part of continuous integration. That works well in the case of small apps and microservices. However, with complex monolithic applications, it may take several hours to complete all tests. Therefore, we at Kiwee run such tests as nightly jobs.
Furthermore, it is important to remember that DAST tests might cause real damage to the application. Thus, they should not be executed against the production environments.