Can shopping for the right dynamic security testing (DAST) tools be as fun as buying a new pair of sneakers? Maybe not, but there's a lot more at stake here: the security of your apps. In order to release software securely, product teams need to develop new builds, test those builds for security, and fix the bugs found in testing. Only then can software go into production where it's exposed to users in the real world.
Testing software for security and generating useful reports continues to be the biggest challenge security professionals face. Couple that with their struggle to keep pace with the rapid DevOps-enabled pipelines of engineering teams, and you get security engineers that are overwhelmed with impossible deadlines and too many releases to test. The result? The product teams at those companies choose to perform security testing less often in order to maintain their current pace of development.
This can spell disaster for the long-term security of your applications. That's why it's important to find the right combination of tools and technique to enable fast, effective security testing that doesn't slow down development.
Dynamic testing or DAST is the process of testing an application from the outside, ie., from the perspective of an attacker. A dynamic scan tool operates while the software is running, looking for vulnerabilities like SQL injection, cross-site scripting (XSS) and more.
Unlike static analysis (SAST) which looks at vulnerabilities in the code itself, DAST scans can find runtime vulnerabilities not otherwise detectable in the source code. Using the scan results, developers can try to replicate the vulnerabilities and fix them before the app goes into production.
Perhaps the most popular DAST scan tool in the world, ZAP by OWASP is an open source scanner that offers a ton of features and automation capabilities. ZAP has both active and passing scanning modes, allowing it to both actively make requests to the app to identify vulnerabilities, and monitoring traffic to the app without interacting with it.
ZAP is also incredibly flexible as a tool: not only can it easily be integrated with a number of CI/CD platforms like Jenkins and GitHub Actions, its usefulness can be extended through community-written plugins on ZAP Marketplace. In a contest of community support, features, and sheer ease of use, ZAP can probably beat out even some of the advanced paid tools out there.
Another strong contender for the top spot among open source scanners, Nuclei by Project Discovery is a powerful, lightweight tool with some unique features that set it apart from others in its class.
Rather than relying on its own database of vulnerabilities to use while scanning for bugs, Nuclei allows you to write your own YAML templates to narrow down your scan to a specific type of vulnerability. The scanner sends requests across targets based on that template, leading to far fewer false positives than you'd normally encounter in a DAST scan.
As you might expect from an open source tool, there's a thriving community of users who write and share their own templates online, in addition to the nearly 300 templates written by the Project Discovery team themselves. You can get started by using some of these templates from this directory.
Although Burp is a paid scan tool, it has a free community version you can use. Burp Suite is one of the most popular paid scan tools for DAST, and is used by thousands of companies worldwide. It's a lightweight scanner with plenty of options for automation through CI/CD platforms.
Burp also has a powerful API which lets you customise it to your workflow, and can make use of extensions found on the BApp Store. Note that some of the extensions are only available for the paid version Burp Suite.
The Burp Suite team have also released another free tool, Dastardly, which is based on Burp Suite scanner. This scanner is purely focused on finding 7 highly common and critical security issues (cross-site scripting, cross-origin resource sharing, etc.) out of the 160+ issues Burp can find. Check out the list of security issues Dastardly can find.
Acunetix is known for its user-friendly interface and fast scanning capabilities. It offers much more than just a web app scanner, providing combined results for both DAST and IAST, source composition analysis (SCA) for open source components, and native integration with CI platforms like Jenkins.
Acunetix makes it easy to not only run vulnerability scans, but it also generates results quickly and with a low rate of false positives, helping you save resources and time in removing duplicate results.
Checkmarx DAST is part of the Checkmarx suite of security tools, which include SAST, SCA, API security tools and more. Their major selling point is how well their tools integrate into your SDLC through plugins for IDEs, supply chain management, and CI/CD pipelines.
Checkmarx lets you trigger multiple scan types from a single action and correlate the various results to get a complete picture of your application's security posture. It supports over 30 languages, most popular package managers, and a host of infrastructure-as-code (IAC) templates.
Knowing how to run a DAST scan isn't going to help your team if they don't know how to automate it. To achieve scalable security testing that stays on course with your product's SDLC, your team needs to integrate their scan tools with powerful CI platforms to enable rapid-fire testing before each release.
AppSecEngineer offers a suite of courses in DevSecOps, including specific courses on:
We even offer a host of CTF-style challenges where you get to find and fix various vulnerabilities in a real-world environment.
Get subscribed to AppSecEngineer and start learning today!
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.