What Is Dynamic Application Security Testing (DAST)? | AppSec 101
Вставка
- Опубліковано 3 лип 2024
- In Episode 2 of our AppSec 101 series, we sit down with Rick Smith, Product Manager at Micro Focus Fortify, to learn the basics of Dynamic Application Security Testing (DAST). Rick addresses the following common questions:
- What is DAST?
- What is the difference between SAST and DAST?
- What are the strengths of DAST?
- Why should security professionals use DAST tools?
- Where is DAST going in the future?
- What Fortify tools provide DAST?
LEARN MORE about Fortify: www.microfocus.com/en-us/solu...
LEARN MORE about how Micro Focus was named a leader in the Gartner MQ for Application Security Testing: software.microfocus.com/en-us...
LEARN MORE about how Fortify received the highest score in the Gartner Critical Capabilities for Application Security Testing report for the Enterprise use case AND the Mobile and Client use case: www.microfocus.com/en-us/asse...
SUBSCRIBE TO FORTIFY UNPLUGGED: / @fortifyunplugged
CONNECT with the Fortify Online Community: community.microfocus.com/t5/F...
- Connect with peers and share your knowledge
- Find solutions and answers to your technical questions
- Stay informed on new releases and product enhancements
- Access downloads, demos, videos and support tips - Наука та технологія
Enjoyed this webinar. Rick Smith does a terrific job in describing DAST.
Agree! We need more screen time from Rick!
It's very good explanation, can we see some DAST Usecases of to 10 App Testing scanarios
We are glad you found it useful. Thank you for the suggestion and we will aim to create a video on that topic in the future
Hey team , I had a question on DevSecOps. Now a days teams are using DAST on environments like azure and AWS where sometimes in the frontend WAF is implemented already. And there is no point in using a DAST tool when WAF is on. Just checking if the DAST tool should be used in an environment that DAST is turned off or any idea how normally its done ?
Hi Chacko, DAST is important to identify issues in a running application that sometimes cannot be identified by other AST techniques. DAST can also confirm the exploitation of know vulnerabilities identified earlier in the SDLC. Running DAST scans early and often, shifting the scanning process as left as possible scanning from Dev all the way to the Production environment will increase the visibility for dangerous problems that can occur in your applications. Also, there is a misconception that a service running behind a WAF is safe by nature, which is not true. A common issue with WAFs are obfuscated attacks, that can circumvent the rules your WAF solution have in place. Fortify WebInspect (DAST) allows an automated creation of a set of WAF rules that can be applied to your WAF product, expediting the WAF staging process and helping to reduce the opportunity for obfuscated attacks. Similarly, WebInspect supports different sets of configurations that can make it suitable for the different SDLC phases you have, like (but not limited to) reducing the number of actives threads used for scanning, the custom cookies it inserts during the scanning process and the rules/checking coverage used for the test.
Is it advisable to do DAST for COTS application like Sharepoint. Also what kind of vulnerabilities, we can expect in scanning result of a Sharepoint Application?
It is definitely a good idea, and they are just as at risk as any app for vulns, especially environmental and configuration vulns. Thanks for your question!
Which is better if I only had to do one?
Just to clarify, are asking about choosing between SAST and DAST if you can only do one?
If you're asking which is better between SAST and DAST, that's a tough question to answer. There is no clear winner between the two. We encourage customers to do both to ensure they get comprehensive application security testing.
Both are needed
When can you skip DAST and not SAST?
Ideally...you wouldn't skip DAST.