Dynamic Application Security Testing (DAST) has been around for decades as a way to find vulnerabilities in applications that cannot be found by using static analysis of source code. However, in recent years, as DevOps methodologies have proliferated, DAST has come under fire and people have started to question its worth. But used well, DAST is an important and integral part of an application security program.
The most common complaint heard about DAST today is time. As in the amount of time that it typically takes to run a scan. DAST scans are typically measured in hours. The main reason is that a DAST scan first needs to figure out the various ways that it can interact with an application. From there, the DAST tool is looking to exploit those various ways and report back on what it finds.
The other common concern around DAST is that it can be destructive. For example, if an application is running on a Virtual Machine (VM), there is a risk of that particular VM potentially running out of memory during the scan. Or for large applications, a database could potentially be overrun with read/write requests which could prevent the application from running. For these reasons it is typically recommended to run DAST scans against test and staging environments versus live in production.
But DAST done well is an integral and important part of a successful application security program so how do we resolve these concerns? Well I am glad you asked. Let’s take a closer look at some of the capabilities introduced in HCL AppScan V10 to do just that.
Make The Most of Your Time
If you are using DAST, wouldn’t it be great if your current DAST scan could leverage previous results and only scan against things that changed? Well now it can. With version 10, AppScan introduced incremental scanning. If you are scanning an app for the first time, that scan will establish a baseline that future scans can take advantage of. This can result in significant time savings.
And if that were not enough, we have added one more feature to reduce DAST scan times, automated crawling. Automated crawling uses page identifiers and machine learning to determine characteristics ahead of time. This gives AppScan improved results by focusing on pages that matter most and reduces time spent on less interesting ones.
Make DAST More Dev-Friendly
We know different teams have different needs and that not all scans are the same. But all too often those needs end up forcing a difficult decision. Do we scan for depth to ensure that we find all critical vulnerabilities? Or do we scan for speed and run the risk that something important gets through the cracks?
For this reason we have introduced Test Optimization. Test Optimization lets YOU decide the trade-off you want to make between the depth of a scan and the time it takes for that scan to run. When you are early in development and just need a general idea choose the fastest option. This will focus on the tests that have the greatest chance to find a vulnerability. In doing this, we have seen up to a 10x speed improvement. This makes it perfect for integration with build pipelines. And when combined with our improvements in SAST testing, it provides a powerful application security solution.
When your application moves into QA, change to an option to include more testing, but maintain pace with DevOps teams. And when you are closer to production, you can turn test optimization off to ensure full coverage. Tuning is done by simply sliding along a bar scale. All the while, you are in control of the speed vs. test depth dilemma.
Make an Informed DAST-cision
So if you have had your hopes DAST trying to run dynamic testing before, we invite you to take a fresh look at HCL AppScan Version 10. And sign up for a free, 30-day trial of HCL AppScan on Cloud if cloud-based DAST is more to your liking.