We did an episode of the Security Table a few weeks ago addressing DAST. The premise was exploring reasonable application security. (Note, this is how I got to the name of this newsletter.) I brought this to the table because I don’t believe DAST is reasonable. I did not raise my hand to signal I think anyone needs DAST.
In case you don’t know, DAST is Dynamic Application Security Testing. DAST is a tool that scans a running version of your application and attempts to deduce various vulnerabilities from the OWASP Top Ten to multiple challenges with running versions of the services, whether API or web server.
I’ve come to believe that DAST is not necessary for three reasons. First, DAST does not operate at the speed of DevOps. If DAST could scan the changes of a single Pull Request, I would be ready to believe in it. But the lack of a single change means that DAST does not run well in a pipeline. DAST requires tens of minutes to hours to thoroughly scan an application. It doesn’t run fast enough. Secondly, the results I’ve seen come out of it are limited in value. DAST is excellent at identifying missing headers or an open port, but the results I’ve seen pop out are limited. Third, and setting my context, when you deploy an application in a container with a limited container definition, a solid, mature web-based JavaScript framework running in a Kubernetes cluster within a cloud provider, there are not many findings that are even possible. By limiting the scope of the running application, I’ve already removed many of the possible things that a DAST could find.
Perhaps I’m using the wrong tool — maybe I don’t know how to configure DAST properly. Perhaps, perhaps. I don’t see the value proposition.
My practitioner recommendation is SAST and SCA in the pipeline and RASP in the runtime engine. I’ve used this AppSec cocktail multiple times and have had excellent results with the combo. I add DAST only when the procurement/security teams twist my arm and say they won’t buy unless we have DAST.
Feel free to respond if I’m missing something, and let’s take the conversation to the public square and hash it out.
This article first appeared in my weekly Application Security Newsletter, Reasonable Application Security. Please subscribe.
