Skip to content

DAST: The Frontline Defense Against Real-World Application Vulnerabilities

Understanding Your Attack Surface

As cyber-attacks and data breaches continue to increase, it’s more important than ever to understand your expanding attack surface. In particular, ensure all of your web applications and application programming interfaces (APIs) are well understood and secure. Of course, those with a comprehensive application security strategy understand this, but those who are only “checking the box” with static application source code scanning today likely don’t. As opposed to static application security testing (SAST), dynamic application security testing or DAST tools simulate real-world attacks and interactions with the application, just as a malicious user would, to detect flaws such as injection vulnerabilities, authentication and authorization issues, input validation weaknesses, sensitive data exposure, and other security risks.

According to most analysts, OpenText™ Fortify is the long-established leader in static application security testing and is widely used throughout the U.S. public and private sectors. However, SAST scanning alone is not enough to mitigate all threats, vulnerabilities, and exposures. This is especially true for web applications and APIs. DAST is particularly useful for testing web applications, web services, and APIs, as it can uncover vulnerabilities that may be difficult to detect through code review or static analysis alone. For a comprehensive strategy, dynamic application security testing (DAST) tools must be made a critical part of understanding and defending your attack surface. There are a number of DAST tools to choose from, but there’s only one that holds the trusted Fortify name, and that is Fortify WebInspect.

Protecting Applications and Data for National Security Interests

As an approved and trusted DAST tool, WebInspect is well established in the U.S. DOD and Intel Community and relied upon as "tried and true." Five outstanding features of WebInspect that I will describe shortly highlight this, but WebInspect is also certified and approved for NIST 800-53 SA-11, DISA STIG compliance, FITARA cybersecurity scores, Executive Measure 3.2, Continuous Authority to Operate (cATO); plus, it is part of the DOD's Information Assurance Approved Products List (IA APL). There are also numerous DOD specifications and guides that call out DAST security controls, such as Navy RAISE 2.0, DOD Enterprise DevSecOps Reference Design, DOD Enterprise DevSecOps Fundamentals, and so on. A simple search online quickly reveals these requirements – most of which Fortify WebInspect can help satisfy.

Why WebInspect?

The U.S. Department of Defense and Intelligence Community requires web application security tools that can handle large, complex applications and accurately identify vulnerabilities, making WebInspect a preferred choice. There are five critical WebInspect features that make it stand out above the rest and should be a central part of any DAST program. These are:

1) Comprehensive scanning capabilities

2) Automatic crawling and scanning

3) Accurate and actionable results

4) Integration with other tools

5) Scalability and flexibility

 

These critical features make WebInspect an excellent choice for any organization looking to secure their web applications. Let’s now drill down on each feature:

1. Comprehensive Scanning Capabilities

WebInspect's comprehensive scanning capabilities have proven to be effective in identifying a wide range of vulnerabilities including SQL injection, cross-site scripting (XSS), buffer overflow, and many others. WebInspect also supports a variety of programming languages and web application frameworks, making it a versatile tool for all types of web applications. In addition, WebInspect has the ability to scan web applications that are not publicly accessible. Since many U.S. agencies' web applications are behind firewalls or require a specific connection, it is challenging for traditional web application scanners to assess them. WebInspect has the ability to scan web applications regardless of their accessibility, making it an immensely valuable tool for these secure organizations.

2. Automatic Crawling and Scanning

WebInspect can scan large, complex web applications efficiently, reducing the amount of manual effort required to expose critical vulnerabilities. Further, WebInspect doesn’t require hours to manually configure the tool or select which pages to scan. WebInspect automatically crawls the web application, saving time and ensuring no pages are missed during the scanning process. The tool requires minimal user intervention, making it remarkably easy to use. WebInspect can even help organizations stay ahead of emerging threats by automatically detecting new pages or functionality.

WebInspect allows for inspection of parts of the application that may not be discoverable through normal crawling, collect information about the internal behaviors of an application during dynamic tests, and detect new types of vulnerabilities – all in real-time. As a result, false positives are filtered out, vulnerabilities are confirmed, and development teams are provided with more actionable details, such as stack trace and line of code detail.

3. Accurate and Actionable Results

Unlike some web application security tools that generate false positives or vague results, WebInspect is known for its accurate and actionable results. No tools are perfect, but the goal is always to provide actionable results in as turnkey a manner as possible. WebInspect provides detailed information about vulnerabilities, including the severity of each issue and how to fix it, which helps teams prioritize and address vulnerabilities quickly and effectively. When used together, WebInspect and Fortify SCA can stimulate the application through automated, external security attacks and then gather internal, code-level vulnerability information by observing the attacks in the code as they happen. Teams can then uncover real issues more quickly, determine root causes, and deliver more actionable results to development for remediation.

 

WebInspect reporting provides a wealth of information, including the severity of each vulnerability, the location of said vulnerability, and the steps that are required to remediate it. This level of detail allows organizations to prioritize remediation efforts and ensure the most critical vulnerabilities are addressed first.

4. Integration with Other Tools

Another great feature of WebInspect is its integration with various systems and technologies to enhance its functionality and compatibility with existing security processes. One of the systems WebInspect can integrate with is Fortify static code analysis (SCA), which makes it easier to manage all aspects of a security program from a single platform. WebInspect also integrates with ALM Octane, which allows seamless collaboration between security and development teams, making it easier to prioritize and address vulnerabilities throughout the software development lifecycle. This enables continuous DevSecOps into the agile SDLC process.

WebInspect integrates with development and testing tools such as integrated development environments (IDEs) and continuous integration/continuous deployment (CI/CD) pipelines. This allows for seamless integration of security testing into the software development lifecycle. These are just a few examples where WebInspect can integrate to improve DevSecOps, maximizing the investment and providing maximum security.

5. Scalability and Flexibility

WebInspect has proven to be up to the task, whether in a small web application or a large, complex one. WebInspect's scalability and flexibility have made it the popular choice for organizations and agencies of all sizes, including some of the most security-conscious agencies out there. When it comes to scalability, WebInspect has proven time and time again to accommodate the needs of organizations, scanning multiple applications simultaneously, allowing for efficient and comprehensive security assessments. Additionally, WebInspect provides flexibility in terms of deployment options. It can be deployed on-premises, in the cloud, or as a managed service. This flexibility allows a choice of deployment method that best suits any organization's unique requirements, infrastructure, and security policies.

In Conclusion

By not implementing DAST as part of your organization’s application security strategy, you risk exposing your organization to significant security risks, potential legal and regulatory penalties, and a lack of confidence in the security of your applications. Adopting DAST is crucial for understanding your attack surface and maintaining a robust and comprehensive application security posture. However, the overall value of DAST lies in its ability to uncover real-world vulnerabilities, reduce security risks, support compliance efforts, and ultimately protect your applications, data, and reputation from potential cyberattacks and data breaches.

Every security-conscious department or organization with web applications can be rest assured that WebInspect is endorsed by the most challenging security environments in the world. Its comprehensive scanning capabilities, automatic crawling, scanning, accurate and actionable results, integration with other tools, and scalability make it an undisputed standout for DAST programs and well deserving of the Fortify name.