Application SecurityDynamic & Interactive Application Security Testing
Automated penetration tests against your web applications
Dynamic Application Security Testing (DAST) uses the black box approach compared to SAST to check your application for security vulnerabilities. The application is only tested at runtime, i.e. dynamically during operation. This checks the behavior of the application without knowing the source code (black box approach). DAST should therefore be used especially in the test phase of the software development lifecycle (SDLC) in order to carry out security tests in addition to load, performance and function tests with DAST.
With the help of Interactive Application Security Testing (IAST) you can extend the black-box approach of DAST to a gray-box approach: With IAST, additional data is collected from the application during the tests in order to refine the results of DAST.
In connection with SAST, a holistic overview of the security level of your applications can be obtained.
Contact
What is Dynamic Application Security Testing?
With dynamic security analysis ("Dynamic Application Security Testing") an application is tested - similar to load and performance tests or functional tests - during runtime.
The tools used imitate an attacker who examines the running application for weak points and simultaneously carries out various attacks such as cross-site scripting (XSS) or SQL injections. The behavior of the application during these attacks can be used to gain a picture of the extent to which the application is susceptible to these attacks.
Compared to the static security analysis of an application (SAST), real attacks are carried out here and not only viewed theoretically on the basis of the source code. This enables you to check exactly whether the vulnerabilities found with the help of SAST can actually be exploited.
Advantages
- Errors are found in the runtime environment (such as weak TLS encryption)
- Lower false positive rate than SAST
- At the same time, security systems that are additionally built around the application (e.g. network intrusion detection systems) can be checked for correct functionality
Disadvantages
- Depending on the size of the application, the scans can take a long time, sometimes several days. This means that any changes made during this time cannot be taken into account.
- DAST can only be used very late in the development cycle, as an executable application is required. Here, however, the static analysis (SAST) of an application can help to get an overview of the security level during the source code development.
What is Interactive Application Security Testing?
The interactive security analysis extends the dynamic analysis. In addition to the data that the scanner receives in the HTTP responses during testing with DAST tools, additional system data is also transferred from the application server to the scanner.
This gives the scanner deeper insight and can receive further information, such as hidden paths in the application or system log entries. With the help of this information, further attacks can be carried out and the results can be better assessed.
Most tools require an additional agent to be installed on the application server to provide this information.
Advantage
- An even lower false positive rate than with DAST without IAST
Disadvantage
- An additional agent must be installed
Any questions?
We are happy to provide you with know-how, specific support services and associated license and support offers.
