By now, most are familiar with the concept of DevSecOps. With DevSecOps, application security (AppSec) is moved to the beginning of the software development lifecycle (SDLC). By scanning earlier in the SDLC, you are able to find and fix flaws earlier. This can result in significant time and cost savings. Most organizations understand the importance of static analysis, which scans for flaws during development, but dynamic application security testing (DAST) is just as important.
Unlike static analysis, DAST scans for flaws during runtime. It’s able to detect configuration errors and validate vulnerabilities found through other AppSec testing techniques. It’s vital to scan your applications in runtime because the vulnerabilities found are not just theoretical, they are proven to be exploitable. This means that the likelihood of a false positive with DAST is very low.
How does DAST work?
DAST interacts with the application like an attacker. It starts by performing a crawl to understand the application’s architecture, including links, text, form fills, and other page elements that a user could potentially interact with. It also picks up on attack points that are less visible to the user, such as header values, cookies, and URL parameters. The scanner then audits the objects and attributes discovered by the crawl and sends attacks – like Cross-Site Scripting and SQL Injection – to the objects/attributes to see if they have any exploitable vulnerabilities.
What are the benefits of Veracode’s DAST solution?
Veracode’s DAST solution, dynamic analysis, can be easily automated, provides accurate and actionable results, and returns results in a timely manner. This is very beneficial for both security professionals and developers because it doesn’t add extra work for developers, and it isn’t a time-consuming scan that will significantly slow-down time to deployment. In fact, 65 percent of our dynamic analysis scans finish in five hours, and 70 percent finish in eight hours. Best of all? Our false positive rate is less than one percent, so developers can start on remediation right away.
What is an AppSec mix and why is it important?
No two scans types are created equal. They are all designed with a different area of focus, along with various speeds and costs. For example, if you only use static analysis and dynamic analysis, you won’t uncover third-party vulnerabilities. If you only use penetration testing, you won’t be able to automate the process which will slow down your time to deployment and cost a substantial amount of money. A major benefit of Veracode is that all of our solutions are on one platform. So whichever scan types you decide to add to your AppSec program, it will be cost-efficient and low maintenance, and you will have a cohesive reporting toolset that shows your security posture in one place.
For more information on Veracode’s Dynamic Analysis, including common challenges associated with production scanning and how to find the right mix of assessment types, download our technical whitepaper.