There’s often a lack of understanding when it comes to DAST as a methodology versus DAST as a tool. How do they relate to each other, and how do they differ? And how can AppSec teams take advantage of both?
Below, we’ll take a look at how both DAST as a methodology and DAST as a tool relate to what we do at Detectify. More specifically, we’ll explain how Detectify’s solution applies DAST methodology to the full breadth of an attack surface, automating the heck out of application security testing. With these methods, we cover millions of domains before you’ve even had breakfast.
Differences between manual and automated security testing
Dynamic Application Security Testing (DAST) is the methodology of testing an application from the outside, poking at it with a stick from a distance. DAST methodology probes and sends payloads to a running application and then checks if the application screams back to detect potential issues.
In practice, pen-testers use manual DAST methodology when carrying out red team assignments. A pentester could also carry out a code review, which is the manual version of Static Application Security Testing (SAST).
The history of DAST tools
DAST tools have been around for over two decades, and they’ve typically been formed to combine capabilities of crawling and fuzzing to test isolated applications. In a nutshell, DAST tools aim to implement hacking methodology in an automated way.
Testing isolated applications was effective when they were monolithic, encapsulating all functionality (think back to the good old days of a PHP monolith). However, with the rise of modern technology architecture, the boundaries of applications have become much blurrier. As a result, testing individual applications has become less relevant, as functionality is now spread across various components, such as microservices and cloud components. It’s not uncommon for vulnerabilities to arise at the interfaces between these components, particularly when they interpret edge cases in different ways.
Many organizations only identify a limited list of top assets thought to contain the most sensitive data, the majority of the attack surface is left without any coverage
With this in mind, it’s no surprise that “traditional DAST” (in other words, DAST tools) tends to be designed in a very unscalable way. Traditional DAST tools often offer the equivalent of one scan profile per application or IP in an attack surface.
As we know, not all subdomains are created equal nor have the same lifespan. Additionally, a subdomain might not contain personally identifiable information (PII), but it might have unauthorized open ports or be susceptible to subdomain takeover.
Detectify can make your budget go further than “traditional” DAST tools can.
Surface Monitoring + Application Scanning = Best-in-class AST solution
At Detectify, we have taken DAST as a methodology and reinvented it as a method. But what does this mean, exactly?
To start, we use DAST methodologies in both our Surface Monitoring and Application Scanning products. Through using DAST methodology as the base for our platform, we’ve designed our solution to be highly scalable and provide customers with more value.
Detectify goes beyond CVE matching by leveraging in-house built engines and vetted payloads in all tests accuracy rate. More than 30% of the tests we run do not have a CVE related to them. Instead, we focus on the payloads that are used in the wild.
More than 30% of the tests we run do not have a CVE related to them. Instead, we focus on the payloads that are used in the wild
We also take DAST another step further by utilizing crowdsource-fueled DAST. . Crowdsource focuses on the automation of vulnerabilities rather than fixing bugs for specific clients. Once our ethical hackers discover an accepted vulnerability in a widely used system such as a CMS, framework, or library, their reported findings are automated into our platform. By discovering undocumented security vulnerabilities through Crowdsource, we make it possible to go beyond the coverage of CVEs.
Surface Monitoring
Surface Monitoring runs continuous checks on the domain level and offers added value by discovering assets you may not even be aware of as well as scanning those assets for vulnerabilities three times per day. The product can:
- Cover your entire public DNS footprint and can handle 100,000+ subdomains without any issues.
- Fingerprint your tech stack by mapping out the technologies you use to trigger only the most relevant security tests.
- Help teams set, enforce, and scale customizable security policies so you can focus on the issues that matter most.
- Run real-world, payload-based testing to discover misconfigurations and vulnerabilities in cloud infrastructure, content delivery networks (CDNs), and applications.
Application Scanning
People often refer to our product, Application Scanning, as a DAST scanner. We go beyond the capabilities of a “traditional” DAST scanner by leveraging crawling, fuzzing, and authentication to find vulnerabilities in assets that normally can’t be reached through stateless testing.
- We’ve built our scanner internally and have optimized it using learnings from our Crowdsource community.
- Our crawler handles single-page applications and filters large applications with repetitive content (such as media and e-commerce apps).
- Our powerful authentication engine securely implements MFA authentication and can replay user behaviors.
Go hack yourself
As we mentioned earlier on, we’ve taken DAST as a methodology and reinvented it as a method into ASM. With continuous practice of discovering and assessing Internet-facing assets and looking for their vulnerabilities and anomalies, Detectify forms a solution that gives you the most comprehensive coverage of your entire attack surface.
Discovering your organization’s unknown Internet-facing assets and then scanning them aren’t mutually exclusive (and shouldn’t be). That’s why you should take a more holistic approach to cover your attack surface.
Get in touch with us to find out how your team can start reaping the benefits of both DAST and ASM.