The first step to discovering potential application security vulnerabilities is to conduct static code reviews. However, once deployed, the application is exposed to new threats such as cross-site scripting (XSS), SQL injection, weak authentication, and more. Dynamic Application Security Testing (DAST) tools enable you to spot these risks.
Read more: Best Server Security Tools
Top DAST Tools
There are many different DAST tools on the global market, from both well-known security vendors to niche players developing DAST only. Here are ServerWatch’s recommendations, in no particular order.
Acunetix
Acunetix automates web application security controls and identifies security vulnerabilities in a website, mobile application, and API before an attacker finds and exploits them. Scanning is available in the black-box mode, where the product independently examines and builds the website structure while processing all found links and collecting information about all detected files.
On-demand targeted scanning mode features importing the web application structure and passwords for restricted area access. The program tests all data entry fields, parameters, and commands, iterating over known attack patterns and combinations.
The vulnerabilities detected are logged into user-friendly tabs that contain a description of the vulnerability, confirmation of its exploitation, and recommendations for elimination. The product can be integrated into CI/CD as a step to check each new version of the application automatically.
Key features:
- Detects and lists all web applications and domains associated with a client
- Uses proprietary technologies and a database of vulnerability detection methods
- Each vulnerability found undergoes testing; only confirmed vulnerabilities are included in the report
- Scanner is built using C ++ for efficiency, making it one of the faster solutions on the market
- Builds reports for developers, as well as special reports for PCI DSS, HIPAA, ISO / IEC 27001
- Enables the import of scan results into WAF (Citrix Web App Firewall, Fortinet FortiWeb, F5 BIG-IP ASM, and Imperva SecureSphere WAF)
- Integrates with ticket systems and builds into CI/CD processes
- Tools such as Jira, GitHub, Jenkins, Bugzilla, TFS, and Mantis are supported
Fortify WebInspect
Fortify WebInspect provides dynamic analysis with core features such as automatic macro generation, Selenium support, and containerization. Fortify WebInspect also provides crawler interoperability, collaboration, and broad API coverage for extended capabilities of dynamic analysis tools that meet corporate needs and requirements.
Key features:
- Compliance with security requirements using predefined sets of rules and reports according to common standards: DISA STIG, PCI DSS, NIST 800-53, OWASP, ISO 27K, HIPAA, etc.
- High-performance plugins allow both scanning of basic APIs with OpenAPI support (Swagger) and more complex scripts with unique workflows, complex authentication procedures, and non-standard parameter requirements
- Uses both pre-formed rule sets and specific regulations, taking into account the requirements for the speed and efficiency of the system
- Support for step-by-step analysis allows you to quickly assess vulnerabilities in modified application components
- Available as an on-premises, SaaS, or hybrid configuration
HCL Security AppScan
HCL Security AppScan is designed for information security professionals and requires high qualifications, but provides a complete picture of existing vulnerabilities. The product provides interaction between employees responsible for application security and developers. It has means of integration with common development environments, which makes it possible to track vulnerabilities at an early stage.
Key features:
- Test optimization slider allows you to control the balance between problem coverage and scan speed, using four optimization levels
- Incremental scans provide shorter checks by only working on changes in the application
- Optimized research with predictions based on machine learning technologies
- Improved detection of vulnerabilities that cannot be detected directly with the test application, such as SSRF, OS Commanding, and XXE attacks
Synopsys Managed DAST
Synopsys Managed DAST features on-demand expert dynamic analysis. The solution is backed by a team of Synopsys security experts who continually improve their testing methodologies as the vulnerability landscape changes.
Key features:
- Leverages automated tools to identify common vulnerabilities such as cross-site scripting, SQL injection, incorrect security configurations, and other flaws from the CWE / SANS Top 25, OWASP Top 10, and other lists
- Enables manual script testing to find vulnerabilities not found using off-the-shelf tools, such as those related to authentication and session management, access control, data leaks, etc.
- Manual analysis identifies false positives, and data aggregation explains the findings
Tenable.io
Tenable.io is a versatile, cloud-based vulnerability management platform for large, medium, and small businesses. The Web App Scanning application is part of the platform. It allows you to improve the security of web applications by automatically scanning and detecting vulnerabilities.
Key features:
- Understands your web applications through information about their location and a complete sitemap
- Safe Scanning allows you to distinguish between the parts of web applications you should scan regularly and parts you should never scan
- Automation of scanning
- Scope of scanning extends to cover HTML, HTML5, and AJAX
- Integration with other Tenable solutions
Veracode Dynamic Analysis
Veracode Dynamic Analysis is a solution that provides automated and scalable dynamic scanning with wide coverage at high speed. As security threats evolve, organizations need a product that will enable them to quickly start the scan and scale as needs increase.
Key features:
- Schedules recurring scans, automatic pause, and resume
- Dynamic analysis supports authenticated batch URL scanning to increase reach by scanning behind login areas
- A single automated product combines the large-scale scanning capability that Veracode DynamicMP can perform, with the customization and scanning behind login areas provided by Veracode DynamicDS
WhiteHat Sentinel Dynamic
WhiteHat’s Sentinel Dynamic is designed to automate the scanning, detection, and updating of web pages and links without problems and any consequences for the client.
Key features:
- Uses of a deep stack of JavaScript framework to crawl more pages and scale up scan results
- Lack of extensive customization allows most websites to be crawled without heavy user interaction
- Continuous dynamic scans do not affect the scheduling of other scans
- Cloud platform does not require installing hardware or scanning software
- Code changes in web applications get automatically detected and evaluated
- API integration with SIEM, bug tracking systems, and WAF
- Vulnerabilities are checked by security experts at WhiteHat Threat Research Center (TRC) to eliminate false positives
What Is DAST?
Dynamic Application Security Testing (DAST) is the process of testing a program to find vulnerabilities using the black-box method. DAST analyzes applications as they run, detecting flaws such as memory corruption, unsecured server configurations, cross-site scripting, user permission issues, malicious SQL injection, and other critical vulnerabilities.
Read more: Best Server Security Services
What Is a DAST Tool?
While static application security testing (SAST) analyzes source code or its compiled versions for security issues when it is not running, DAST tools specifically monitor the behavior of a running application. They run automatic checks to simulate malicious attacks on the website or program.
The goal is to identify unexpected issues. For example, a test might inject malicious data to expose implementation flaws. The DAST tool typically tests all HTML and HTTP hotspots. To find vulnerabilities, the test simulates random user behavior and actions.
How Does DAST Work?
Dynamic testing products do not have access to the source code. To detect security vulnerabilities, they attack the application from the outside. Consequently, the test does not point to specific vulnerable code components, as in the case of SAST.
Traditional DAST technology requires close supervision by security professionals, who often have to draft and tweak tests and/or refine a solution. To do this, experts need a deep understanding of the application to be tested, as well as knowledge of application servers, databases, application traffic flows, and access control lists.
As is the case with the SAST tools, there is no one-size-fits-all solution. While some programs (like web application scanning tools) can be easily integrated into the CI/CD pipeline, other DAST processes, such as fuzzing, require a different approach. It is wise to do black-box fuzzing, which will greatly facilitate the work since it does not require constant control over the source code.
In terms of execution, the products can be installed directly at the customer’s premises, or be cloud-based (software-as-a-service). Dynamic application testing can also be performed by third-party experts upon request.
Global DAST Market
According to forecasts by Grand View Research, the application protection market will reach $10.7 billion by 2025, growing by an average of 17.7% per year. At the same time, in the group of code analysis tools, SAST and DAST tools occupy the same positions in terms of sales on a global market scale.
According to an industry forecast by IndustryARC, the DAST market is projected to reach $2.4 billion by 2025, growing at an average annual rate of 17.4%.
North America dominates the global dynamic application security testing market, and is expected to have significant market share during the forecast period from 2020 to 2025. Key players such as Synopsys, WhiteHat Security, and IBM are the main drivers of this segment’s growth.
The growing demand for application security from leading organizations, as well as the increasing proliferation of smartphones, have also fueled the dynamic application security testing market.
In addition, the adoption of cloud applications, along with investment in research and development, is also fueling the segment in question. Strict government regulations requiring advanced application security testing and the growing levels of cybercrime have had an equally significant impact on the market.
Partnerships and acquisitions, along with new product launching, are key strategies in the dynamic application security testing market. Gartner’s report, “Critical Capabilities for Application Security Testing,” identifies the following major players in the global market:
- Contrast Security
- CAST
- GitLab
- Micro Focus
- HCL Software
- Onapsis
- Synopsys
- Rapid7
- Veracode
- WhiteHat Security
Choosing the Right DAST Solution
Errors and vulnerabilities occurring in an application being developed pose critical risks for information security. DAST solutions allow you to significantly reduce these risks and control development quality without involving external experts. DAST is an applied developer tool that seamlessly integrates into DevSecOps processes.
Read next: Using Zero Trust Security to Protect Applications and Databases