Dynamic Application Security Testing (DAST) solutions have been around for over a decade, so you might think the market is static. But, that's hardly the case. Web applications and malicious hackers continue to evolve and DAST solutions need to keep pace. According to Gartner, DAST technology analyzes applications in their running state (in real or “almost” real life) during operation or testing phases. It simulates attacks against a Web application, analyzes application reactions and, thus, determines whether it is vulnerable. [Gartner Magic Quadrant for Application Security Testing, Neil MacDonald, Joseph Feiman, July 2014]
1. Ability to Test Web 2.0 (AJAX), Web Services and Mobile
Applications have evolved to be very complex and transactional - leveraging web services, mobile components and complex workflows like shopping carts. These applications are built with new technologies like HTML5 that delivers the rich clients that today's consumers expect and REST interfaces used by AJAX. These REST interfaces also power most mobile apps, and business to business API's. It's critical that today's scanners understand these new technologies..If a dynamic application security scanner hasn't been modernized to understand these new technologies, it's almost certainly completely skipping that area of the application leaving it untested or requiring that entire section to tested by hand. Most of the pen testers I know already have their hands full testing advanced business logic and other hard to reach areas. DAST solutions should be automatically covering as much of these applications as possible.
2. Continuous Integration API's to Support the SDL
Most of the global enterprises we work with require extensibility to enable them to drive security earlier into the software development lifecycle (SDL) and to connect with existing and home grown tools. Many organizations are integrating their DAST solutions into their Continuous Integration solutions (Hudson, Jenkins, etc) to ensure security testing is conducting easily and automatically before the application goes into production. This requires a dynamic application security scanner that works well in “point and shoot” mode and offers open API's for running scans. Ask your vendor how their scanner would fit into your CI environment.
3. DEV/QA Integration and Flexible Training Options
Security teams are collaborating with development and QA teams to leverage the test automation tools & scripts such as Selenium to create repeatable security tests that can be executed in conjunction with nightly application builds. This is an excellent way to build security into the process from the beginning with very little additional effort. Talk to your DAST scanning vendor about how their integration with Selenium and other automation tools works.
4. Enterprise Reporting for Metrics
Enterprise reporting means different things to different people, so one of the key features a solution should have is flexibility with open access to raw data for custom analytics. You want to make sure that your vendor does not hide the data in any way, and preferably makes it readily available with standard database query option.
5. Point and Shoot High Quality Results
This one is critical! Your dynamic application security scanner must do everything possible on its own to comprehensively crawl the application and then attack it. Of course training can help, but the problem is that organizations often have too many applications and the security team rarely has the time or knowledge of each application to ever possibly be able to train the scanner for them. Additionally that human time could be better spent by the security team to test things that automation cannot, such as privilege escalation and cross-account data leakage.
Ask your DAST vendor if their scanner requires training in order to understand your complex applications, and then test them for yourself. If you would like to read the full whitepaper on "The Case for Integrating Selenium and Application Security Testing", you can download it here.