🛡️ Dynamic Application Security Testing (DAST)

🔍 What is DAST?

• Dynamic Application Security Testing (DAST) is a black-box security testing technique that analyzes a running application to identify security vulnerabilities from the outside, exactly like a real attacker would.

• DAST tests the application behavior, not the source code.

• Think of it as ethical hacking inside your CI/CD pipeline.

---

⚙️ Where DAST Fits in DevOps

Code ➜ Build ➜ Test ➜ Deploy ➜ Run
                    🔍 DAST

DAST is usually executed:

• After deployment to staging
• Sometimes in production (read-only scans)

---

🚀 How DAST Works (Simple Flow)

1️⃣ App is deployed and running
2️⃣ DAST tool sends malicious requests
3️⃣ App responds
4️⃣ Tool analyzes responses
5️⃣ Vulnerabilities are reported

🧠 No access to source code
🧠 No need to know the internal logic

---

🧪 What DAST Can Detect

✅ SQL Injection
✅ Cross-Site Scripting (XSS)
✅ Broken Authentication
✅ Insecure Cookies
✅ Open Redirects
✅ Security Misconfigurations

🟥 DAST finds what attackers exploit, not what developers write

---

❌ What DAST Cannot Do Well

❌ Logic flaws
❌ Dead code vulnerabilities
❌ Issues hidden behind complex auth
❌ Vulnerabilities that require source analysis

---

🆚 DAST vs SAST (Quick Comparison)

Feature	🧠 SAST	🌐 DAST
Tests	Source code	Running app
Access needed	Yes	No
Finds runtime issues	❌	✅
Finds early bugs	✅	❌
Attacker view	❌	✅

👉 Best practice: Use both.

---

🔄 DAST in a CI/CD Pipeline

DAST:
  stage: security
  script:
    - deploy_to_staging
    - run_dast_scan
    - fail_pipeline_on_critical

✔ Automated
✔ Repeatable
✔ Enforced security gates

---

🧩 Real Example

🛒 Online Shopping App

• App deployed to staging
• DAST scan triggered automatically

• Tool discovers:

  • /login vulnerable to SQL injection
  • Session cookie missing HttpOnly

• Pipeline fails ❌

• Developer fixes issue

• Scan reruns

• Pipeline passes ✅

🔥 Bug fixed before production exposure

---

🧰 Popular DAST Tools

🔹 OWASP ZAP
🔹 Burp Suite
🔹 Nikto
🔹 Acunetix
🔹 Netsparker

---

📈 Why DAST Matters in DevOps

🟢 Catches real-world attacks
🟢 Reduces breach risk
🟢 Improves compliance (PCI-DSS, ISO, SOC2)
🟢 Strengthens production confidence

⚠️ Without DAST, you ship code that only looks secure.

---

🧠 Best Practices

✔ Run DAST on every major release
✔ Scan authenticated endpoints
✔ Integrate with CI/CD
✔ Prioritize high & critical findings
✔ Combine with SAST + SCA

---

🧠 One-Line Summary

DAST tests your application the same way attackers do, but before they get the chance.