According to the Forrester report “The State of Application Security, 2022,” applications are the most common attack vector, with “web application exploits” the third-most-common attack. Accordingly, it is imperative that organizations test their running web applications in the same way that attackers probe them, to identify and eliminate vulnerabilities before they are discovered and exploited by outside agents.
DAST is certainly not a new technology, and Synopsys already offers DAST testing to our customers. But WhiteHat brings an entirely new dimension to our DAST capabilities. Specifically, it brings the ability to safely scan production applications without the need for a separate test environment. This ensures that what is exposed to hackers has been tested as deployed.
This is a critical capability, as the primary objective of DAST is to test running web applications for vulnerabilities such as SQL injection and cross-site scripting. These common vulnerabilities that are exploited in production applications do not exist in source code; they arise only after deployed into production. This makes DAST an essential component of any application security testing program.
There is often confusion regarding the use of static application security testing (SAST) and software composition analysis (SCA) and the need for DAST. SAST and SCA test the application code and therefore discover a different set of vulnerabilities than DAST due to the fundamental differences in their approach. As such, most organizations utilize all three techniques at various points in the development process.
Historically, organizations have been reluctant to run DAST tests against production applications due to fears of data corruption from the DAST testing processes or impact to application performance. Instead, organizations often test the application in a production-like environment. But this opens the door for discrepancies between the testing environment and the production environment, which creates the potential for vulnerabilities to go undetected. The production testing capabilities of WhiteHat effectively eliminate this issues, empowering organizations to test their production systems.