Last updated at Sun, 19 Nov 2023 00:59:47 GMT

Is your Dynamic Application Security Testing (DAST) solution leaving you exposed?

We all know the story of the Emperor's New Clothes. A dapper Emperor is convinced by a tailor that he has the most incredible set of clothes that are only visible to the wise. The emperor purchases them, but cannot see them because it is just a ruse. There are no clothes. Unwilling to admit that he doesn't see the clothes, he wanders out in public in front of all of his subjects, proclaiming the clothes' beauty until a child screams out that the Emperor is naked.

Evolving Applications

If there is one thing we know for sure in application security, it's that applications continue to evolve. This evolution continues at such a rapid pace that both security teams and vendors have trouble keeping pace.

Over the last several years, there have been a few major evolutions in how applications are being built. For several years now, we have been security testing multi-page AJAX driven applications powered by APIs and now we're seeing more and more Single Page Applications (SPAs). And this is happening across all industries and at organizations of all sizes.

Take Gmail for example, in the image below, you can see one of the original versions of Gmail compared to a more recent versions. Today's Gmail is a classic example of a modern application.

So, as security professionals, we have built our programs around automated solutions, like DAST, but how are DAST solutions keeping up with these changes?

DAST Solutions - The Widening Coverage Gap

Unfortunately, most application security scanners have failed to keep up with these relatively recent evolutions. Web scanners were originally architected in the days of classic web applications when the applications were static and relatively simple HTML pages. While scanners have never and will never cover an entire web application, they should cover as much as possible. Unfortunately, the coverage gap has widened in recent years forcing security teams to conduct even more manual testing particularly of APIs and Single Page Applications. But with over-burdened and under-resourced application security teams, testing by hand just doesn't cut it.