There’s often a lack of understanding when it comes to DAST as a methodology versus DAST as a tool. How do they relate to each other, and how do they differ? And how can AppSec and ProdSec teams take advantage of both?
Below, we’ll take a look at how both DAST as a methodology and DAST as a tool relate to what we do at Detectify. More specifically, we’ll explain how Detectify’s solution applies DAST methodology with an External Attack Surface Management (EASM) mindset to deliver the most value to AppSec and ProdSec teams.
Differences between manual and automated security testing
Dynamic Application Security Testing (DAST) is the methodology of testing an application from the outside by performing simulated attacks. DAST methodology probes and sends payloads to a running application and then monitors its behavior in order to detect issues.
In practice, pentesters use DAST methodology when carrying out red team assignments. A pentester could also carry out a code review, which is the manual version of Static Application Security Testing (SAST). Vendors have been offering solutions for automating both dynamic and static testing (DAST and SAST) for quite some time.
The history of DAST tools
DAST tools have been around for over two decades, and they’ve typically been formed to combine capabilities of crawling and fuzzing to test isolated applications. In a nutshell, DAST tools aim to implement DAST methodology in an automated way.
Testing isolated applications worked very well when they were monoliths encapsulating all functionality. With the rise of modern tech architecture, the boundaries of an application have become much more blurry. As a result, individually testing applications is less relevant, as the functionality is spread across multiple different components (e.g. micro services, edge computing, and cloud components). It isn’t uncommon that vulnerabilities arise at the boundaries between components that interpret edge cases in different ways.
With this in mind, it’s no surprise that “traditional DAST” (in other words, DAST tools) tends to be priced in a very unscalable way. Traditional DAST tools often offer the equivalent of one scan profile per application or IP in an attack surface. DAST also tends to have a defined budget at most enterprises, and since many of these organizations only identify a limited list of top assets thought to contain the most sensitive data, the majority of the attack surface is left without any coverage.
As we know, not all subdomains are created equal nor have the same lifespan. Additionally, a subdomain might not contain personally identifiable information (PII), but it might have unauthorized open ports or be susceptible to subdomain takeover.
Detectify can make your budget go further than “traditional” DAST tools can.
Surface Monitoring + Application Scanning = Best-in-class EASM solution
At Detectify, we have taken DAST as a methodology and reinvented it as a method into External Attack Surface Management (EASM). But what does this mean, exactly?
To start, we use DAST methodologies in both our Surface Monitoring and Application Scanning products, which together form our External Attack Surface Management platform. Through using DAST methodology as the base for our EASM platform, we’ve designed our solution to be highly scalable and provide customers with more value.
Compare this to EASM tools that use vulnerability management as the base and CPE/CVE matching, which yields a high rate of false positives. Detectify goes beyond CVE matching by leveraging information about the context of assets, resulting in a 99.7% vulnerability assessment accuracy rate. More than 30% of the tests we run do not have a CVE related to them. Instead, we focus on the payloads that are used in the wild.
We also take DAST another step further by utilizing crowdsource-fueled DAST. Both Surface Monitoring and Application Scanning leverage the same insights from our unique community of ethical hackers. Crowdsource focuses on the automation of vulnerabilities rather than fixing bugs for specific clients. Once our ethical hackers discover an accepted vulnerability in a widely used system such as a CMS, framework, or library, their reported findings are automated into our platform. By discovering undocumented security vulnerabilities through Crowdsource, we make it possible to go beyond the coverage of CVEs.
Surface Monitoring runs continuous checks on the domain level and offers added value by discovering assets you may not even be aware of as well as scanning those assets for vulnerabilities three times per day. The product can:
- Cover your entire public DNS footprint and can handle 100,000+ subdomains without any issues.
- Fingerprint your tech stack by mapping out the technologies you use to trigger only the most relevant security tests.
- Help teams set, enforce, and scale customizable security policies so you can focus on the issues that matter most.
- Discover misconfigurations and vulnerabilities in cloud infrastructure, content delivery networks (CDNs), and applications.
People often refer to our product, Application Scanning, as a DAST scanner. We go beyond the capabilities of a “traditional” DAST scanner by leveraging crawling, fuzzing, and authentication to find vulnerabilities in assets that normally can’t be reached through stateless testing. We make use of insights from Surface Monitoring to improve application scans and focus on providing our customers with ease of use and automation that isn’t offered by many of the traditional DAST scanners on the market.
- We’ve built our scanner internally and have optimized it using learnings from our Crowdsource community.
- Our crawler handles single-page applications and filters large applications with repetitive content (such as media and e-commerce apps).
- Our powerful authentication engine securely implements MFA authentication and can replay user behaviors.
How does this connect to EASM?
As we mentioned earlier on in this article, we’ve taken DAST as a methodology and reinvented it as a method into EASM. With EASM defined as the continuous practice of discovering and assessing Internet-facing assets and looking for their vulnerabilities and anomalies, Detectify’s Surface Monitoring and Application Scanning products work together to form one solution that gives you the most comprehensive coverage of your entire attack surface.
Discovering your organization’s unknown Internet-facing assets and then scanning them aren’t mutually exclusive (and shouldn’t be). That’s why today’s modern tech organization’s are taking a more holistic approach by using Detectify’s platform, benefiting from both the application of DAST methodology and an External Attack Surface Management mindset.
Get in touch with us to find out how your team can start reaping the benefits of both DAST and EASM.