DAST: Things You Should Know
The relationship between security testing and applications is a never-ending story. Even after an application is deployed, security testing activities are continuously carried out. Since absolute security is a myth, one can always strive to achieve the maximum level of security possible. Dynamic Application Security Testing, or DAST, helps a business by addressing the areas which are generally left out by Static Application Security Testing (SAST). However, it must be noted that the importance of SAST cannot be looked down at, but it should be accepted that there are things they cannot measure – even after best security principles are followed.
What is DAST?
Gartner defines DAST as the technologies which are designed to test the security of the application in its running state. Common activities of DAST include testing exposed interfaces of web applications or testing a mobile application for a remote procedural call, session initiation protocol (SIP), etc. DAST comes into play when an application has gone into production or actually entered runtime, after initial development phases. Security testing during the runtime of an application is important as the extent of threats can only be realized once an application goes alive. After a DAST activity is conducted, automated alerts can be prioritized.
How does DAST help?
SAST helps in finding vulnerabilities and loopholes in the code when an application is being developed. On the other hand, to identify vulnerabilities after the development, DAST can offer benefits in multiple ways. Some of them are discussed below.
1. Memory Usage: Static analysis, or SAST, does not provide any clue as to how memory is being used by an application. On the contrary, dynamic tests help in finding the portions of memory i.e. RAM which can be easily exploited. In addition, the testing team can also check if an application is exposing critical system resources which it should not do ideally.
2. Encryption: In the ever-evolving threat landscape, it is only realistic that you are using an encryption algorithm in your application in order to protect confidential or sensitive information. Static analysis can only check whether the implemented encryption algorithm is working properly or not. DAST goes far beyond merely checking the working of an encryption algorithm, it attempts to break into the encryption algorithm and thereby examines the possible impact on the business operations if the attackers are able to get through.
3. Permissions: DAST explores the possibility of a malicious code interacting with your application and gaining access as a superuser on a rooted device. Since there is no way to figure this out using Static testing, dynamic testing comes to your rescue.
4. Performance: It is only possible to analyze the performance of an application only after it has been completely developed and eventually, run on a set of devices. In dynamic testing, consumption of resources on CPU as well as RAM are checked and then they are matched against an industry-standard benchmark.
5. Code Injection: Backend security is an integral part of the overall security strategy. In many cases, the attackers are able to hijack the authentication tokens being communicated between the application and the backend.
The situations discussed in the last section are a few of many such situations where dynamic testing saves the day. It also addresses questions such as –
- Is it possible to hack your application using Bluetooth or any other wireless communication?
- Can your application be compromised at startup?
- Is communication between the application and server prone to manipulation during transmission?
However, this does not mean that SAST is a mere facade. You cannot replace one with another and it highly recommended that static testing, as well as dynamic testing activities, are performed together. In addition, with DevSecOps gaining traction rapidly, it is only logical that an organization’s application testing plan incorporates SAST along with DAST.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019