Why All DAST Products Suck! (And Why They Still Matter)

2 years ago
53

In this episode of the “Why All AppSec Products Suck” series, I focus on **Dynamic Application Security Testing (DAST)**—an approach I’ve spent 20+ years developing and refining. DAST tools simulate real-world attacks against running applications, making them powerful, but they also come with serious trade-offs.

I break down both the **strengths** and **limitations** of DAST and show you how to think about it as **one tool in a larger toolkit**, not a silver bullet.

🔍 **What you'll learn in this episode:**
- What DAST is and how it works differently from SAST or IAST
- Why DAST struggles with business logic flaws, JavaScript-heavy apps, and discovery
- Where DAST shines: working without source code, scanning any language, and catching runtime bugs
- How to balance false positives and ensure testing relevance
- How to combine DAST with other tools for maximum security coverage

---

⏱️ **Chapters:**
1. 00:00 – Intro: Why DAST is important (but imperfect)
2. 01:05 – My background: 20 years building DAST tools
3. 02:30 – Why one tool isn’t enough for AppSec
4. 04:10 – How DAST works: simulating users and probing sites
5. 06:10 – DAST’s challenge: discovering custom vulnerabilities
6. 07:30 – The evolution of app technologies (Ajax, JSON, SPAs)
7. 09:30 – Why DAST can’t detect business logic flaws
8. 11:00 – Handling crawling failures and limited visibility
9. 12:30 – The upside: DAST works without source code
10. 14:00 – False positives, automation, and operational integration
11. 15:30 – Final thoughts + why DAST still rocks with the right combo

---

📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)

🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)

---

🌐 **More Content & Resources**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev

Loading comments...