Application Security

DAST (Dynamic Application Security Testing)

A testing methodology that analyzes running applications for vulnerabilities by simulating external attacks without access to source code, often called 'black-box' testing. DAST tools interact with the application through its interfaces (HTTP requests, APIs) to find issues like injection flaws, authentication problems, configuration errors, and sensitive data exposure. Unlike SAST, DAST finds runtime-specific issues but cannot pinpoint the exact line of vulnerable code. Popular DAST tools include OWASP ZAP, Burp Suite, Nikto, and Acunetix. DAST is used alongside SAST in a comprehensive application security program and is tested in CEH, OSCP, and DevSecOps certifications.

Why It Matters

In practice, DAST is critical because it tests applications in their actual runtime environment, discovering vulnerabilities that only manifest when code is executing, such as authentication bypasses, session management flaws, and server misconfiguration issues that static analysis cannot detect. Organizations that fail to perform DAST testing miss environment-specific vulnerabilities including insecure headers, exposed admin interfaces, and runtime injection points that attackers will find through reconnaissance. DAST testing of APIs has become increasingly important as microservices architectures expose more endpoints that may lack proper authentication or input validation. Modern DAST tools support authenticated scanning to test behind login pages. On certification exams such as CEH, OSCP, and DevSecOps Foundation, expect questions about comparing DAST with SAST and when to use each, configuring authenticated versus unauthenticated scans, interpreting DAST findings and prioritizing remediation, and integrating DAST into staging environment testing within CI/CD workflows.

Practice this topic

Test your knowledge of DAST (Dynamic Application Security Testing) concepts with exam-style practice questions.

CSSLP GWAPT DevSecOps

Related Application Security terms

OWASP

The Open Web Application Security Project — a nonprofit foundation focused on improving software security through community-led open-source projects, tools, documentation, and standards. OWASP is best known for the OWASP Top 10 — a regularly updated list of the most critical web application security risks (including injection, broken authentication, XSS, and security misconfiguration). Other key projects include the OWASP Testing Guide, ASVS (Application Security Verification Standard), ZAP (Zed Attack Proxy), and the Mobile Security Testing Guide. OWASP resources are referenced across virtually every security certification and are the de facto standard for web application security assessments.

SAST (Static Application Security Testing)

A testing methodology that analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program, often called 'white-box' testing. SAST tools scan codebases for patterns that match known vulnerability types such as SQL injection, XSS, buffer overflows, and hardcoded credentials. They integrate into CI/CD pipelines to catch issues early in the development lifecycle (shift-left security). Popular SAST tools include SonarQube, Checkmarx, Semgrep, and Fortify. SAST complements DAST (runtime testing) and is a fundamental practice in DevSecOps and secure SDLC, tested in CSSLP and DevSecOps certifications.

DevSecOps

An approach that integrates security practices within the DevOps process throughout the entire software development lifecycle, making security a shared responsibility rather than an afterthought. DevSecOps automates security testing at every stage: SAST in code commits, dependency scanning in builds, DAST in staging, infrastructure-as-code scanning, and container image scanning before deployment. Key principles include shift-left security, security as code, automated compliance checks, and continuous monitoring in production. Tools include GitHub Advanced Security, Snyk, HashiCorp Vault, and Falco. DevSecOps is increasingly tested in CISSP, CSSLP, and dedicated DevSecOps foundation certifications.

CSRF (Cross-Site Request Forgery)

An attack that forces authenticated users to submit unwanted requests to a web application where they are currently logged in, exploiting the trust that the site has in the user's browser. For example, an attacker could craft a link that transfers funds or changes account settings when clicked by a logged-in user. CSRF works because browsers automatically include session cookies with every request to a domain. Defenses include anti-CSRF tokens (synchronizer tokens), SameSite cookie attributes, checking the Origin/Referer headers, and requiring re-authentication for sensitive actions. CSRF is an OWASP Top 10 vulnerability and is tested in CEH, OSCP, and web application security certifications.