Aspect Security's AppSec Blog

DAST Tool Not Working? How to Optimize Dynamic Analysis (Part 2)

Posted by Josh Wallace

Find me on:

5/17/2017

As we discussed in Part 1 of this post, Dynamic Application Security Testing (DAST) is often the first step that many organizations take when embracing application security. 

Yet we learned that most DAST tools do not provide reliable results without being tuned for the specific application being tested. What does that mean for most organizations? 

  • False negatives
  • Damage to a website
  • Incomplete application coverage
  • Too many false positives

How do we optimize our DAST tools, get more out of our tools and avoid these challenges?  Don't miss Part 1, where we discuss how to combat false negatives and avoid website damage.   

Ensure Complete Testing Coverage: Provide Application Credentials

The scanner can only access application resources that are available within the context of the current user. If an unauthenticated user can only access a login page, then the scanner can only access a login page, unless you tell it how to log in.

By providing the dynamic analysis scanner with credentials to the web application, the scanner will be able to look for vulnerabilities on any pages that the credentialed user has access to, thus increasing your scan coverage and providing better results. If your application contains multiple roles, it is important that you perform testing with each specific role, or a role that has access to the entire site.

Decrease Scan Time: Set the Environment Variables

Many dynamic analysis scanners allow you to supply the tool with information about the web application that it will be scanning. This includes information such as the web server’s operating system, the type of database used by the application, the type of web server and more.

By providing these details to the tool, you’ll reduce false positives and decrease your overall scan time by skipping vulnerability checks that are not applicable to your environment.

Mitigate False Positives: Triage. Triage. Triage!

It is no secret that dynamic analysis scanners produce a high number of false positives. This is one reason that many organizations have a hard time embracing dynamic scanning tools. If you provide reports back to development staff with false positives, you will likely be met with scorn and a general lack of acceptance of the tool (and security in general). Over time, the lack of confidence in the security scan results leads to real security vulnerabilities remaining unresolved.

The solution? Have someone review the results of the application scans and mark any false positives. Only deliver actionable security issues back to the developers. This involves some work up-front for the security team, but makes it more likely that your development team will pay attention to security issues and resolve them.

Better Dynamic Scanning Leads to Better Application Security

There you have it. By following these tips, you can get better results from your dynamic analysis tools, reduce false positives and further drive acceptance of application security in your organization. 


Speed up your application security program

Aspect can help you with your application security tool's effectiveness, efficiency and visibility. Maximize the value of your tool investment. Contact us today

How to Overcome Dynamic Scanning Hurdles

 

Topics: Application Security, DAST, Dynamic Application Security Testing, Dynamic Scanning