In the beginning, there was DAST. From the earliest days of web applications, the tried-and-true (and much maligned) vulnerability scanning technique has been dynamic analysis, which treats software as a “black box” and attempts to exploit it from the outside through a series of automated attacks that reflect real-world threat vectors. Despite the rise of SAST (static, or “white box” analysis of code itself), software composition analysis (SCA) and a myriad of other techniques, DAST has remained the cornerstone of AppSec practice and is often required for regulatory compliance.
However, it is also one of the least friendly forms of security testing to the software developer, as it must be run long after code is written and deployed, and despite a high degree of accuracy, requires developers to spend significant toil to identify the source of the issue and determine remediation steps. Especially in the modern world of DevSecOps and developer-focused security tools, DAST is an outlier in its inability to be integrated with the developer experience.
Must this always be the case? Recent advancements in runtime monitoring, machine learning, and accuracy of other techniques like SAST may offer new possibilities for dynamic testing for the first time in many years.
Join Snyk, the leader in Developer Security, as we discuss ideas for next-generation DAST, including:
Clinton Herget is Field CTO at Snyk, the leader in Developer Security, where he focuses on crafting and evangelizing our strategic vision for the evolution of DevSecOps. A seasoned technologist, Clinton spent his 20-year career prior to Snyk as a web software developer, DevOps consultant, cloud solutions architect, and engineering director. Clinton is passionate about empowering software engineers to do their best work in the chaotic cloud-native world, and is a frequent conference speaker, developer advocate, and technical thought leader.
Terry Sweeney is a Los Angeles-based writer and editor who's covered business technology for three decades. He's written about cyber security for more than 15 years and was one of the founding editors of Dark Reading. Sweeney has covered enterprise networking extensively, as well as its supporting technologies like storage, wireless, cloud-based apps and the emerging Internet of Things. He's been a contributing editor to The Washington Post, Crain’s New York Business, Red Herring, Information Week, Network World, SearchAWS.com, and Stadium Tech Report.