A Comprehensive Approach to Dynamic Security Testing (DAST)

In the modern DevOps framework, security has shifted to the left and Application Security Testing (AST) techniques like DAST have become even more important. The latest Forrester reports indicate that application weaknesses and software vulnerabilities are the most common attack methods, and businesses fall victim to ransomware every 11 seconds.

Further, modern-day businesses are consistently grappling with fast-paced development and industry disruptions. Hence, DAST security emerges as a powerful tool to perform thorough and dast testing on the application codes while it is running. 

It is extremely good at identifying a number of external issues and vulnerabilities from the OWASP’s top ten list, such as injection errors, path traversal, cross-site scripting, insecure server configuration, etc. 

Here, we discuss various DAST technologies at length and explore how Appknox emerges as the most comprehensive DAST solution for all businesses.

Security vs Development 

The security teams and development teams have been at loggerheads since time immemorial. While DevOps garnered all the popularity and acclaim because of its "agility, speed and its responsive nature", the security guys have not been exactly happy about that. 

They find this agility and speed to be "risky" and the major drivers behind the "vulnerabilities of applications". 

And, when the developers are pushed to launch apps multiple times in a day, they simply cannot afford security checks that will go on for weeks!

While DevOps applications offer speed, functionality, and scale, they often lack robust security and compliance. Hence, DevSecOps was introduced into the SDLC, to ensure the co-existence of development, operations, and security.

For any app development and distribution business organization, it is crucial to make security an equal consideration apace from development and operations. Once you integrate DevOps and DevSecOps, every network administrator and developer has "security" as one of the major considerations while developing and deploying applications,

While it's almost impossible to automate security testing, because it slows down the SDLC, amidst the huge wave of app development and a rise in the number of new-age companies, the customers of any company are looking at seamless product updates with bulletproof security. 

So, while almost all of us are well-versed with the OWASP’s top ten list of app vulnerabilities, the way they can manifest and other nuances are still out of the limits of our current understanding. 

Present Technologies for Securing Apps within SDLC

There are many technologies that can be used to ensure secure applications. Each has its own role and comes into play during a specific phase of the software development lifecycle.

The Application Security Testing ( AST ) market has three broad categories of app security technologies:

1) Static Application Security Testing (SAST)

Also called white-box testing, SAST does not require a deployed application, but it requires the source code. The tester has access to the underlying framework, implementation, and design, and the app is tested from the inside out. 

SAST can find vulnerabilities in the earlier phases of SDLC as the scan can be run right after the code is considered feature-complete. However, it cannot discover environment-related issues and run-time errors.  

2) Dynamic Application Security Testing (DAST)

DAST tests the application from the outside in. So, a tester adopts the hacker approach and attacks the application with real mobile devices. Hence, a user gets a real-time experience of the types of attacks an attacker would perform and can understand the vicinity of the attack in a real-world scenario to safeguard the app. 

DAST can discover run-time vulnerabilities and environment-related issues, but only in the later stages of SDLC, after the completion of the development cycle. 

As you don’t have to halt any process, or the application itself while performing DAST and this fits perfectly well with the pressed work schedules of the developers. DAST tools are employed during the build and test phases and can continue to work in the delivery and production phases as well.

3) Interactive Application Security Testing (IAST)

IAST is one of the more real-time security assessment technologies as it works from within the app. It works through the code instrumentation, identifies the issues, and reports them while the application is running. 

So, you have a more hands-on and LIVE vision of the overall health of your web app. However, IAST tools are employed in the test phase of SDLC.

Additional Options for Application Security Testing ( AST )

Apart from these three technologies, three other technologies are also popular:

1) Web Application Firewall (WAF)

The WAF tool sits as a firewall in front of the application while it is running and filter out attacks based on preset security rules.

2) Runtime Application Self-Protection (RASP)

RASP also works from the inside of the application, and identifies attacks and blocks them in real-time.

3) Software Composition Analysis (SCA)

SCA scans the code base and reports visibility into open-source software components such as security vulnerabilities, license compliances, etc.

How Does DAST Security Testing Works?

DAST implements automated scans that simulate malicious external attacks on web apps. It identifies the outcomes that aren’t included in the set of expected results. For instance, it injects malicious data into the app to uncover any hidden common injection flaws. 

DAST tests all the HTML and HTTP access points and emulates random user behaviors and actions to find out any underlying software vulnerabilities in the apps.

What makes this testing technique awesome is the fact that the DAST tool does not have access to the source code of your app at any time. So, it rightfully works as an external attacker to find out whether there are any hidden code vulnerabilities or security concerns or not. 

DAST is of little help to the testers when it comes to finding particular faulty lines of code.

Also, there is a catch - DAST is as good as your security expert!

You have to heavily rely on your security experts while implementing the DAST testing and they might have to write tests or fine-tune the tool. Read a complete guide on Dynamic Application Security Testing.

So, does it mean that without having a reliable security analyst, you cannot leverage DAST to its maximum possible capability?

The answer is NO!

We will have more on that in the coming sections.

Getting Started with DAST Solution

With DAST solution, you have to start by defining the strategic values that you expect to obtain from it. As the technology is aligned to the risk, it will help you figure out the areas where security is lacking and on-point for risk mitigation. 

It also helps you in:

• Setting baseline standards for KPI creation
• Setting measurable goals for security 
• Gaining insights into the actual app health
• View and manage data-driven views for better assessment of security investments

Hence, it is important to start DAST implementation with the correct goals, vision, and targets for testing, such as:

• OWASP Top Ten vulnerabilities
• Examine critical apps 
• Any other custom or tailor-made approach toward app security
  
  

What Makes Appknox Real-Time DAST Testing Different From Other Players in the Market 

The real-time DAST testing from Appknox comes with a robust and powerful automated simulation feature that allows you to understand the real-life interactions of your apps with attackers. You have a full understanding of the entire information flow, which allows you to catch loopholes and fix vulnerabilities before they turn into threats. 

Appknox offers more than 130 test cases to evaluate your compliance levels and also offers you detailed reports of all the checks. You can also compare the results against each test case for a better analysis.

The API scans allow you to see all the important information that is being received and shared in every API call, and you can discover as well as mend the vulnerabilities lying therein. 

You can find the impact of these vulnerabilities on your business and also discover the severity levels of these vulnerabilities to figure out whether or not they can turn into a threat. 

What makes DAST an impeccable security partner is the fact that you can find the exact location of the vulnerability as well as discover the vulnerabilities that can cause legal compliance and regulatory issues. 

Let us explore more on this below.

Testing DAST Security through Appknox

DAST is a fully automated tool that makes your job of securing your apps easier and better.

It simulates the real-time interactions between the users (your teams) that access our physical iOS and Android devices via the cloud. The tool detects and finds loopholes that are a threat to your businesses and apps. 

Using Appknox DAST, you can plug and secure these loopholes from runtime and network attacks, such as the Man-in-the-middle attack, etc.

Given below, is a step-wise walkthrough of the entire process, that you can refer to for a better understanding. 

Step 1: Log in

You have to log in using your credentials to access the Appknox DAST UI:

Step 2: Dashboard View

Once you log into the system, you will see a dashboard looking like this:

Here, you can see the various controls, such as projects, analytics, organization, billing and account settings, etc. 

You will also have views of your projects along with the in-depth vulnerability assessment results for them.

Step 3: Upload the Application

Next, you can use the “Upload” option to upload a mobile app for scanning via Appknox DAST, as shown below:

The app takes only a minute or so to upload. Once the app upload completes, the vulnerability assessment starts immediately, as the Static Scan starts running. The static scan takes around a minute to completion and this duration is even smaller for iOS apps, because of the limited number of permissions. 

Step 4: Results of the Static Scan

After the Static scan is over, the results of the scan appear on your screen as shown below:

You can see the different types of vulnerabilities, their ability to turn into risks and threats as well as pointers to fix those issues. 

The results show:

• A brief description of the issue
• Business implications
• The exact location of the issue 
• Tips to resolve the issue

We follow the top three global security standards, namely - CVSS, OWASP, and PCI-DSS for vulnerability assessment.

Step 5: Dynamic Scan

Once you click on the “Dynamic Scan” button, the following screen appears where you select the device and its OS version, as shown below:

Here, you also see the option of “Enable API Capture” that you can enable to detect and capture all the API calls and endpoints that are used in a dynamic session.

The list of all the calls will appear on the screen later and can be used for API testing, as shown below:

During the dynamic scan, you can browse the app, and the more you browse, the more you are able to find the issues.

Once you stop the app, the dynamic scan gets finished. 

Step 6: API Scan

API scan takes 30 to 45 mins and the results show the issues detected during the scan. You can click on the issues and learn more about them. You can also generate a thorough and smart report with actionable insights into all the issues, hash keys, compliance issues, vulnerability data, etc. 

So, it is a reliable developer guide as well.

Appknox DAST offers:

• Risk assessment reference

• Compliance solution

• Business implications

• Code examples for teams that they can use for issue resolution

• Smart reports that can be used by the developers for fixing the issues

Appknox is a highly comprehensive and smart solution, which integrates with the developers’ existing tools and processes, so security teams can work in parallel with development teams, and understand each other’s priorities in a better and more comprehensive manner.

Some of the best ways to integrate DAST are integrating it with:

• CI platforms 
• Ticketing tools
• Offering multiple deployment options, such as cloud, on-premise, or as a managed service
• Producing context-driven and easily manageable reports
• Providing compliance-specific reports, etc.

What makes Appknox the most comprehensive DAST solution?

• Appknox offers Integration with CI platforms such as Jenkins. APIs can be integrated into the build process to automatically run scans of apps and determine the pass/fail status of the build, i.e. quality gates based on security risk. Ideally, you can configure the pass/fail decision criteria.
• Appknox offers Integration with ticketing tools such as Jira, to allow vulnerabilities to be exported directly to Jira for immediate developer visibility. The best solutions allow you to customize ticketing templates to include contexts such as issue type and severity.
• Provides a variety of deployment options to meet your needs: on-premises, in the cloud, or as a managed service.
• Produces reports that are easy to navigate, show context and provide drill-down capabilities; they should allow developers to reproduce the attack with a few clicks.
• Provides compliance-specific reports tailored to important regulations such as PCI-DSS, HIPAA, SOX, GDPR, and OWASP Top Ten. Management reports should show statistics and metrics regarding the security of apps in an easy-to-read summary.
  
  

Some other impressive features include:

• Test automation that reduces manual work
• Allows manual penetration tests and hands-on live simulations 
• Compliance testing 
• Static code analysis and issue tracking
• False-positive testing

Features that are loved by Appknox customers

Here’s what our customers have to say about us!