DAST stands for Dynamic Application Security Testing, and it’s a blackbox suite of tools that really look at web applications on the front end. DAST looks at a running application looking for potential security vulnerabilities, architectural weaknesses, SQL injection, and cross-site scripting, among other security risks in the OWASP Top Ten.
How is SAST different from DAST and IAST?
SAST looks at the source code without a running application, whereas DAST looks at the running application without the source code. Then IAST looks at things from both the source code and the web application front end to find composite vulnerabilities, which you really wouldn’t find without looking at the big picture.
Do you need to run both DAST and SAST?
You should have security coverage in both the source code and web application. Some organizations might choose to use IAST to cover both of those areas, while others might choose to run SAST and DAST tools separately. But having both of those parts of security testing is important because you will identify some things with SAST and some things with DAST that you won’t identify by just using one or the other.
How can you get started using SAST?
OWASP ZAP is one of the easiest DAST tools to get started with, and it’s open source. OWASP is a great organization that helps professionals out in the world understand different security vulnerabilities, how to write code more defensively, and secure their applications. They put together a free DAST tool, and a whole suite of how-to guides to help individuals who are either testers or engineers who don’t have a lot of security experience: how exactly the tools work, how they identify vulnerabilities, and how to use them effectively, whether you’re doing agile or DevOps.