Dynamic Application Security Testing (DAST) is often the first step that many organizations take when embracing application security.
Dynamic analysis (often referred to as black-box testing) is categorized by testing a running web application (as opposed to static, non-running source code). A DAST tool is usually a scanner that is designed to send malformed and malicious HTTP requests to your application, then interpret the responses and detect potential vulnerabilities.
However, despite how they may be sold, most DAST tools will not provide reliable results without being tuned for the specific application being tested.
While mentoring clients all over the country using many different dynamic analysis tools, I have found that incomplete and improper DAST tool configuration leads to a common set of challenges:
- False negatives
- Damage to a website
- Incomplete application coverage
- Too many false positives
How do we optimize our DAST tools, get more out of our tools and avoid these challenges?
Reduce False Negatives: Check Your DAST Scan Coverage
How much time do you spend customizing your dynamic analysis scans? Little to none? You are not alone. Many users of dynamic analysis tools run them “out of the box." Running scans without thoughtfully manipulating the scan configuration can not only result in a large amount of false negatives (i.e. undetected vulnerabilities in your applications) but can also be damaging to your application.
If your application is built on modern frameworks (like Spring MVC or AngularJS) or is designed as a web API, it will only take a couple of hours to get the configuration right. It's worth your time.
Let’s start with the false negatives. The best way to combat them is to check what the scanner actually tested (and did not test). Functionality varies from tool to tool, but most commonly used dynamic analysis scanners provide a report or view showing what pages and inputs were found as well as what pages and inputs were skipped.
It’s important that you have at least some knowledge of the running web application and what its structure looks like. If you are not familiar with the web application, have a developer look at the reports with you to verify that the entire application was covered. If you find that areas of the website were not scanned, the scan configuration for that web site will need to be adjusted.
We've worked with many clients who used DAST tools for months (or even years), only to discover that they had never scanned past the login page. Not comparing what should be scanned to what is actually being scanned sounds obvious but is a common error.
Avoid Website Damage: CHECK YOUR DAST SCAN COVERAGE
Scan coverage affects more than false negatives. If not properly configured, scanners can be damaging to your website. You must understand what functionality is hosted in your application and exclude any areas that are too risky to test. For example, your website may include an interface for adding, modifying, and deleting users. If you do not exclude this functionality, the scanners will add, modify, and delete users from your system – possibly disrupting real users.
Most commercial scanners also include denial of service testing. It is considered best practice to ensure that this feature is disabled to avoid the possibility of bringing down your site, especially if you are scanning an application in production.
Want more tips?
Now you know two ways you can optimize your DAST tool. Check out Part 2 of this article, which discusses how to ensure complete testing coverage, decreasing scan time and mitigating false positives.
Speed up your application security program
Aspect can help you with your application security tool's effectiveness, efficiency and visibility. Maximize the value of your tool investment. Contact us today.