Application Security Testing + Monitoring with DAST and RASP: A Two-Pronged Approach

Last updated at Wed, 29 Nov 2023 01:17:32 GMT

Every modern company is a software company. Whether you sell a technology product, food delivery, or insurance, you interface with customers through applications—and those applications are a prime target for attackers. In fact, the most common attack pattern associated with an actual breach is typically at the web application layer.

It is essential to have continuous protection for your applications across the entire development lifecycle. Inserting application security practices into the development process as early as possible will help you identify weaknesses sooner, save your team time remediating any issues, and improve collaboration between security and DevOps teams. But no matter how well you secure an app to begin with, you can’t just set it and forget it. You need real-time monitoring and analysis of application behavior.

In other words, for full coverage of your apps, you’ll require multiple application security solutions. Dynamic application security testing (DAST) and runtime application self-protection (RASP) are two of the key ingredients in that mix.

The continuous process of application security

While DAST and RASP are only two parts of a complete application security plan, they do represent two very important sides of a continuous process.
DAST is a proactive solution used to scan an application in the running environment. It’s used during the build and test phases and can carry on into delivery and production. DAST simulates attacker behavior to look for the app’s behavioral weaknesses.

Related: Learn more about Rapid7’s DAST solution, InsightAppSec

While DAST is proactive, RASP is meant to be reactive, as it protects your applications in-production. RASP sits in or near your application while it’s running to monitor and analyze its traffic and behavior.

Related: Learn more about Rapid7’s RASP solution, tCell

Your application security should have both reactive and proactive elements to see the most success. While the benefits of a reactive tool like RASP can clearly be seen when threats are identified, the benefits of a proactive solution like DAST can also be seen when identifying and remediating vulnerabilities occurs earlier in the SDLC.

The benefits of dynamic application security testing (DAST)

DAST solutions increase visibility and help security teams understand how their web applications behave. The technology is not bound by a particular language or technology, so you can use the same tool across all of your custom applications. DAST tools tend to be quite easy to deploy and manage. For example, we see our DAST customers scanning their apps in as little as five minutes.

Application security is still a relatively new field. Many security professionals are more accustomed to finding vulnerabilities in traditional software or infrastructure, which are classified as CVEs. Application vulnerabilities are different. Web application vulnerabilities are usually best described as behavioral weaknesses—exactly what DAST is designed to catch. DAST looks at how your applications are behaving from an attacker’s perspective, finding weaknesses that could be exploited and illustrating how an attacker could break into the system.

The security team’s job is to identify and assess risk, but ultimately it will be the development or DevOps team that remediates the issues. A DAST tool helps with communication and collaboration between development and security. By integrating DAST into your SDLC, it will become part of the regular QA process. Your development team should be used to QA, and integrating DAST into the SDLC could further drive automation within your organization.

If there is resistance from DevOps, the data generated by DAST can help you get back on the same page. You’ll have concrete evidence of issues and will be able to easily reproduce your findings and validate that they exist to show developers.

You might already be using a static application security testing (SAST) tool. Static tools integrate directly into the dev environment and improve code hygiene. They have their place, but unlike DAST, they only look at code rather than functionality. There are aspects of app behavior that can only be examined while the app is running.

How DAST and RASP work together

DAST and RASP aren’t the only application security tools your business should have, but they are both critical components of a solid appsec strategy. Each type of application security tool has its role to play. DAST allows security to be implemented earlier in the development lifecycle. Identifying vulnerabilities early on is an important goal, but you’ll never be able to catch every issue in advance. That’s where RASP comes in, as it will monitor and protect your app down the road.

Without DAST, you’re going to spend time and money fixing errors that could have been prevented, but without RASP, you’re vulnerable to new attacks. DAST and RASP complement each other and are best when used together.

InsightAppSec is Rapid7's cloud-powered DAST solution, while tCell is Rapid7’s next-gen WAF and RASP tool. When used together, you can scan your internal and external modern web applications to effectively test for risk and deliver the insight you need to remediate faster. You can also monitor for real-time attacks and set custom policies for actionable behavior to protect against OWASP Top 10 and zero-day attacks. Both tools integrate seamlessly into your already existing DevSecOps programs with tools like Jenkins, Jira, Puppet, and more.