Dynamic Application Security Testing

Power and simplicity in identifying and remediating web application vulnerabilities

What is Dynamic Application Security Testing?

DAST refers to the process of analyzing a web application through public-facing vulnerabilities through simulated attacks. DAST, also called the black-box security test. This type of approach assesses the application from the outside->in by simulating vulnerabilities as an adversary actor would.

Pros of DAST

  • Independent from the application
  • Immediately finds vulnerabilities that could be exploited, including OWASP's top ten
  • Identify runtime problems, (SAST can't do in its static state)
  • Does not require access to the source code or compiled objects
  • Excellent at finding misconfigurations and authentication problems to help DevSecOps
  • Lower false positive
  • Integration with CI/CD pipeline

Key Features and Benefits
  • Running in minutes
  • Crawl and attack your modern applications and APIs
  • Scan external and internal applications
  • Take action by leveraging detailed explanations of vulnerabilities, with technical details and remediation recommendations
  • Empower developers with Attack Replay so they can confirm vulnerabilities
  • Use Live Vulnerability View to quickly filter down results and dynamically assign status and severity to reflect your priorities
  • Universal Translator[1] maximizes its test coverage of web apps
  • Integration with Web Application Firewalls, Rapid7's TCELL, Swagger, Selenium, Jenkins, and Atlassian

Why are DAST and SAST different?

Static application security testing (SAST) uses the inverse approach to DAST: It examines an application from the inside -> out, with source code, binaries, and so on. The goal of this "white box" testing is to identify coding vulnerabilities.

SAST is used early in the software development life cycle (SDLC), DAST can be used early in the build integration phase of the DevSecOps.

Cloud-Powered Application Security Testing

In today's world of complex, modern web applications, accurate and automated Dynamic Application Security Testing (DAST) tools are rare but do exist

Powered by Rapid7's industry-leading DAST engine, InsightAppSec was built for modern security and DevOps teams looking to embed security into the SDLC. InsightAppSec bridges vulnerability discovery, attack simulation, and remediation through a unique universal translator[1], built-in integrations, and attack replay capabilities to provide comprehensive scan coverage and fast time to value—without hindering the speed of development.

InsightAppSec brings Rapid7's proven Dynamic Application Security Testing (DAST) technology combining powerful application crawling and attack capabilities, flexibility in scan scope and scheduling, and accuracy in results with a modern UI, intuitive workflows, and sensible data organization. It's all delivered via the cloud so that you're up and running in minutes, identifying the critical security risks that exist in your applications.

[1] The Universal Translator increases the flexibility by decoupling the discovery and attack engines so that all attackable inputs identified by the discovery engine are translated and normalized into a common universal format that is then understood by the attack engine; this makes it possible for the same set of attacks to be applied to multiple input and data formats types.

Have questions? Let's talk

Arcane experts are ready to answer your questions