Security testing for mobile apps is never enough, and by extension, never complete. In some of our earlier blogs, we emphasized the importance of static analysis tools like Appknox for uncovering vulnerabilities in the code. While static analyzers are a godsend, there are things they can't measure – intentional or unintentional access compromise. The point is, code that looks safe may not actually be, even if it follows the world's best security standards. How can you be sure that the developer didn't overlook something subtle that is now baked into the app as an embarrassing vulnerability? Say hello to Dynamic Application Security Testing.
What is Dynamic Application Security Testing ( DAST )?
As the name implies, this type of security testing focuses on the dynamic or runtime characteristics of the app.
Here are some examples:
Instead of checking that a strong encryption algorithm is used, dynamic testing actually tries to break through the encryption and verify that it's indeed working. Since much depends on the version of the software library used, this is indeed the better way of testing the employed encryption.
Static analysis can provide next to no clue about how memory is being used and managed in an app. By contrast, dynamic testing will catch on if there are portions of RAM that can be easily exploited. Or perhaps there are cases where your app is exposing critical system resources that it shouldn't.
Can some malicious code interact with your app and gain superuser permissions on a rooted device? Dynamic testing is the only way to figure this out.
The performance of an app is not clear until it is actually run. How much CPU and RAM it ends up consuming can only be covered in dynamic testing. This is also important for benchmarking against the competition and industry average.
5) Backend code injection:
One very important aspect of security is backend security. Some known attacks exploit the implicit trust that a backend has on the communicating app. In some cases, attackers are able to hijack authorization tokens and cause trouble. Such scenarios lie in the domain of dynamic application testing.
There are countless other scenarios that dynamic security testing covers: is the app hackable through Bluetooth? Can it be compromised at startup time? What matters is that you choose the right service or product that offers maximum protection.
Does all this mean static analysis is just a facade that should be avoided? Not at all. Static analysis remains a key preliminary check. In fact, static and dynamic analysis form a complement – static analysis makes assertions about the state of an app's security, and dynamic analysis verifies (or contradicts) to build on the outcome. We suggest a healthy mix of the two to ensure app security!
Why is DAST Important?
The importance of DAST in terms of security during any software development process is immense. It comes into play in the SDLC as early as the initial building phase. This is the phase where security experts can actually observe how the app is behaving in the HTTP environment and try to simulate attacks from a threat actor's perspective.
One can ask why we should treat DAST as or more important than SAST? The answer is that while SAST has its role in finding errors in the code during the early phases of the SDLC, it doesn't focus on the actual app behavior in a runtime environment.
The best thing about DAST is that it focuses on the real risks rather than coming up with the vulnerabilities which might not pose any risk at all. It brings to attention the security risks that generally occur because of the interactions happening between several complex frameworks like APIs, microservices and others.
These frameworks might be secure on their own, but if they work in collaboration in a complicated web environment can surely cause deep troubles.
How DAST Works?
DAST follows the methodology of simulating malicious external attacks on applications by implementing automated scans. These scans identify threats which are generally not a part of the expected list of threats.
An example of this technique is the injection of malicious data to uncover injection flaws in the application. DAST works by testing all the HTML and HTTP access points and also brings into consideration the typical user behaviour in order to find out vulnerabilities.
Since DAST doesn’t access an application’s source code, it can detect security flaws only by attacking the application from outside. For the same reason, it also can’t help the testers find the particular faulty lines of the code in case some vulnerability is detected.
Advantages and Disadvantages of DAST
There is no doubt about the value DAST brings to the table when it comes to application security testing. Though it excels in most of the security-specific areas, it has its own limitations too. So, let’s take a look at some of the top advantages and disadvantages of this technology.
1. Not dependent on specific languages or platforms
Since DAST is not dependent on the source code of the application, it is not specific to any particular language or platform. And because of this advantage, you can use the same DAST tool for most of your applications.
2. Great at identifying Configuration Issues
We know how DAST is brilliant at finding security vulnerabilities when the application is in an operational state. In addition to this, it also attacks the applications externally and is able to detect configuration issues which are generally missed by other application security testing tools.
3. Shows low false positives
According to OWASP’s Benchmark Project, the false-positive rate for DAST is much lower than the other well-known security testing tools. As a result, testers can not only minimize the vulnerabilities in their applications using DAST but also keep a check on the false noise.
1. Is not scalable
One of the major disadvantages of DAST is that it relies heavily on security professionals to write suitable tests. This is the reason why this technique becomes very difficult to scale.
2. Scans are slow
Many users have reported that DAST scans take unusually high amounts of time and are not that efficient when it comes to speed. Some of the scans can take as long as a few days to complete. Moreover, as DAST is introduced at a later stage in the SDLC, it is usually time-consuming and costly to fix the vulnerabilities found.
3. Doesn’t have any code visibility
DAST has no access or visibility into an application’s codebase. That is why it can’t direct testers and developers to those specific lines of code which are problematic. This also means there is a lesser scope for remediation.
How to Incorporate DAST?
For an effective DAST incorporation, we often have to rely upon the security experts who would write tests and fine-tune the DAST tool. This demands a complete understanding of how the application being tested works and how it is used. Solid knowledge of application servers, web servers, access control lists, traffic flow and databases is also required to efficiently utilize DAST.
There are also some well-known principles based on which DAST integration to any CI/CD pipeline can be done effectively. You can even improvise on these techniques to suit your use case better.
1. DAST should be Incorporated Either During Staging or Production in the SDLC
When it comes to DAST, we know that a functional and running app is the best place to check its effectiveness. Connecting the dots to the SDLC environment, we know how there is a probability to encounter some functional issue while the app is in the testing environment due to the changes being pushed constantly. This makes staging and production environments the perfect running grounds for DAST and this is where one can reap the maximum benefits out of it.
2. Automate Your Tests During Staging Itself Before Deploying to Production
It is generally recommended to automate DAST in CD by triggering scans during the staging itself. After the completion of unit tests and also SAST, you should trigger your DAST scan automatically. You can customize your flow based on the needs also. How you proceed with this purely depends on your risk-taking ability, company policies and the type of your application.
3. Schedule Periodic DAST Scans
Based on your security requirements, it is recommended to schedule periodic DAST scans. Since these tests take a while to complete, it is recommended to start them at night, after a day of work. In order to run scheduled tests successfully and maintain the health of your pipelines, it is better to create separate pipelines instead of integrating them in the staging pipelines.
Why Choose Appknox for DAST?
Appknox’s DAST solution is specifically built to tackle conditions which indicate the presence of security vulnerabilities while the app is in the running state. We simulate the real-time interactions between users and the app is tested and our system analyzes and catches the security loopholes that are threatening in nature. We then help the businesses fix those issues and protect their apps from network and runtime attacks like the man-in-the-middle attacks (MiTM). Based on mDevSecOps, our DAST solution dramatically shortens your development to release time by eliminating any possible security threat. Customers love our product and here is what some of them have said about it.
Find out how the Appknox Dynamic Application Security Testing can take your app’s security to the next level.