This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Do you really know DAST?
By Sonali Shah, Chief Product Officer, Invicti Security
Web vulnerability scanners have been around for fifteen years. Many security engineers still remember the times when these were simple manual tools. You would point the vulnerability scanner at the website, as long as it wasn't too complex, and run the tool manually. Then, you would read the reports carefully and use them as the basis for penetration testing.
This is completely unlike today's DAST.
Modern-day technologies evolve so quickly that it's understandably difficult to follow that evolution. Therefore, it's no wonder that many people still think that contemporary DAST tools are just like simple web vulnerability scanners that they used fifteen years ago.
As a result of this perception, many organizations still see security testing as a manual exercise. For them, the vulnerability scanner is just there to save the security researcher time before they do penetration tests. The scanner is wrongly treated as a penetration testing framework, not as an automated security testing platform.
With such perception, security scanning is left in the hands of the security teams. Since manual procedures are not efficient in an agile cycle, they are saved till the cycle is finished. As a result, many businesses start their security testing just before a major release. This often causes the release to be severely delayed if major vulnerabilities are discovered.
You don't have to do that with modern-day DAST.
Today's DAST tools may still be used by security teams but that's not their primary role. To use them efficiently, you should include them in your development pipelines. Modern-day DAST tools interface with CI/CD platforms, work seamlessly with issue trackers and messaging platforms, and provide reports that are designed to be understood by developers.
Leading-edge DAST tools even address the problem of false positives. They do it by being able to confirm most vulnerabilities with 100% confidence. With such confirmation, you can be certain that no further manual penetration testing would be necessary. Your developers won't be frustrated trying to solve problems that don't exist.
Avoid hogging pipelines, overloading security researchers, and panicking when a vulnerability is discovered at the last moment. The way forward, followed by more and more businesses of all sizes, is to shift left.
DAST scans are becoming an integral part of CI/CD pipelines, along with your QA unit and functional testing. Your security teams don't even need to touch the scanner. The tool runs automatically and provides your developers with reports that contain all the information necessary for them to fix the issues on their own.
Free your researchers, make your developers happy, and avoid delays by shifting left with DAST.
Join Invicti Security at Black Hat USA in booth #2047 and see how our best-in-class DAST solutions, Netsparker and Acunetix, can unlock your AppSec future.