It’s not uncommon for me to hear the following: “DAST is Dead'' or “We can’t use DAST because we only have APIs.” As a co-founder and Chief Security Officer for a company that is 100% focused on the business benefits of DAST, I thought it was time for me to pen my thoughts and share how Dynamic Application or as I like to refer to it lately Dynamic API Security Testing (DAST) is evolving.
Downfalls of Legacy DAST
Legacy DAST has been a longstanding solution for organizations. However, as the use of APIs for application development has surged and security concerns regarding APIs have intensified, traditional DAST solutions have struggled to keep up with these developments.
1. Slow Scans
Traditional DAST scans are notorious for their sluggishness. Part of this is caused by the first issue (testing in production) and the need for rate-limiting, but a ton of this is due to how applications are built. Decoupling the data layer and presentation layer led us to deploy Single Page Applications (SPA). DAST is terrible at SPA due to the inherent nature of how browsers are interpreting javascript code and rewriting the Document Object Model (DOM) on the fly. All of this causes assessments to stretch over hours or even days, which lacks the efficiency needed to complement the speed of development cycles of modern applications. Developers and DevOps teams require faster feedback loops to promptly identify and fix security issues.
2. Lack of API-Specific Capability
Legacy DAST tools were primarily designed to test Web 1.0 applications. This approach worked well in the past but falls short in today’s API-driven world. These tools struggle to comprehensively test APIs, which often form the most exposed and critical part of modern applications. This leaves organizations with unaddressed security vulnerabilities in their API layers.
3. Testing ONLY in Production
Legacy DAST tools often compel organizations to perform security testing in live production environments. While this may yield valuable insights, it carries the inherent risk of disruptions and potential data breaches. The price of compromising the integrity and availability of live applications can be steep, including damage to an organization’s reputation and loss of customer trust. This often leads to scans being surface level and ineffective at testing for real vulnerabilities.
Benefits of Dynamic API Security Testing (DAST)
1. Fast Testing Times
One of the standout features of Dynamic API Security Testing is its remarkable speed. These tools provide orders of magnitude faster feedback, empowering developers and DevOps teams to swiftly identify and address security issues during the development phase. This rapid turnaround time ensures that vulnerabilities are identified and resolved well before they reach production.
2. API-Centric Expertise
Unlike their predecessors, modern DAST tools are purpose-built to address the unique challenges of API security. They possess an in-depth understanding of API-specific attack vectors, authentication mechanisms, and authorization workflows. This specialized knowledge equips them to excel in securing the modern API-driven landscape.
3. Logic Testing
Modern DAST tools are excellent at testing for logic based flaws in APIs. The OWASP API Top Ten includes no less than 4 “improper authorization” issues that you can’t test for with SAST. The primary capability of DAST is to send various iterations of data to an input and check its outputs for responses that might indicate a vulnerability. This type of testing helps to prioritize what issues are the most important to fix by behaving like a user or a threat actor.
4. Testing Before Production
Dynamic API Security Testing aligns seamlessly with the best practice of testing security early in the development lifecycle. By catching vulnerabilities before they make their way into production, organizations can avoid the costly post-release fixes and mitigate security risks more effectively.
5. Automation
Modern DAST tools are synonymous with automation. They intelligently discover, scan, and assess APIs and web applications with minimal manual intervention. This automation streamlines the testing process, reduces human error, and accelerates the security assessment workflow.
6. Closer to the Code
Incorporating closer proximity to the code accelerates the detection of API and application security flaws. A notable advantage of Dynamic API Security Testing lies in its exceptional speed, offering nearly instant feedback. This empowers developers and DevOps teams to promptly pinpoint and rectify security issues in the development stage. Such swift response times guarantee the resolution of vulnerabilities long before they can impact production.
7. Developer-Friendly
Modern DAST tools prioritize developer-first, promoting quicker feedback loops. They integrate seamlessly with development and CI/CD pipelines, enabling developers to incorporate security testing into their workflow. This close collaboration between developers and security teams results in more secure APIs developed faster.
Conclusion
The rate of API-based developed applications is not slowing down. For organizations looking to scale and safeguard their applications and data more effectively, adopting a modern approach to DAST, Dynamic API Security Testing is a necessity. To learn more about StackHawk, sign up for a free account or schedule time to chat with our team of API security experts.
Scott Gerlach is Co-Founder & CSO at StackHawk