We did an episode of the Security Table a few weeks ago addressing DAST. The premise was exploring reasonable application security. (Note, this is how I got to the name of this newsletter.) I brought this to the table because I don’t believe DAST is reasonable. I did not raise my hand to signal I think anyone needs DAST.
In case you don’t know, DAST is Dynamic Application Security Testing. DAST is a tool that scans a running version of your application and attempts to deduce various vulnerabilities from the OWASP Top Ten to multiple challenges with running versions of the services, whether API or web server.
Perhaps I’m using the wrong tool — maybe I don’t know how to configure DAST properly. Perhaps, perhaps. I don’t see the value proposition.
My practitioner recommendation is SAST and SCA in the pipeline and RASP in the runtime engine. I’ve used this AppSec cocktail multiple times and have had excellent results with the combo. I add DAST only when the procurement/security teams twist my arm and say they won’t buy unless we have DAST.
Feel free to respond if I’m missing something, and let’s take the conversation to the public square and hash it out.
This article first appeared in my weekly Application Security Newsletter, Reasonable Application Security. Please subscribe.