Cybersecurity
Dynamic Application Security Testing (DAST)
Definition
Dynamic Application Security Testing (DAST) is a black-box testing method that examines an application as it is running to find vulnerabilities that an attacker could exploit. It tests the application from the outside-in, with no knowledge of the underlying source code.
Why It Matters
DAST is effective at finding vulnerabilities that only become apparent when the application is running, such as authentication issues or problems with server configuration. It simulates the actions of a real-world attacker.
Contextual Example
A DAST scanner is pointed at a running web application. It automatically crawls the site and tries to inject malicious payloads into input fields (like search boxes and forms) to test for vulnerabilities like SQL injection and XSS.
Common Misunderstandings
- DAST is complementary to SAST. SAST tests the code from the inside, while DAST tests the running application from the outside.
- Because it tests the running application, DAST can only be performed later in the development lifecycle.