Why All DAST Products Suck! (And Why They Still Matter)
In this episode of the “Why All AppSec Products Suck” series, I focus on **Dynamic Application Security Testing (DAST)**—an approach I’ve spent 20+ years developing and refining. DAST tools simulate real-world attacks against running applications, making them powerful, but they also come with serious trade-offs.
I break down both the **strengths** and **limitations** of DAST and show you how to think about it as **one tool in a larger toolkit**, not a silver bullet.
🔍 **What you'll learn in this episode:**
- What DAST is and how it works differently from SAST or IAST
- Why DAST struggles with business logic flaws, JavaScript-heavy apps, and discovery
- Where DAST shines: working without source code, scanning any language, and catching runtime bugs
- How to balance false positives and ensure testing relevance
- How to combine DAST with other tools for maximum security coverage
---
⏱️ **Chapters:**
1. 00:00 – Intro: Why DAST is important (but imperfect)
2. 01:05 – My background: 20 years building DAST tools
3. 02:30 – Why one tool isn’t enough for AppSec
4. 04:10 – How DAST works: simulating users and probing sites
5. 06:10 – DAST’s challenge: discovering custom vulnerabilities
6. 07:30 – The evolution of app technologies (Ajax, JSON, SPAs)
7. 09:30 – Why DAST can’t detect business logic flaws
8. 11:00 – Handling crawling failures and limited visibility
9. 12:30 – The upside: DAST works without source code
10. 14:00 – False positives, automation, and operational integration
11. 15:30 – Final thoughts + why DAST still rocks with the right combo
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **More Content & Resources**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
-
LIVE
LFA TV
10 hours agoLFA TV ALL DAY STREAM - TUESDAY 8/19/25
1,340 watching -
2:11:18
The Quartering
4 hours agoToday's Breaking News! Disgusting Grocery Shopping "Haul" Goes Viral, Las Vegas Collapse & More
85.4K27 -
LIVE
StoneMountain64
4 hours agoBest Extraction shooter is FINALLY on Console (+CoD Reveal Today)
218 watching -
3:04:51
Due Dissidence
6 hours agoZelensky RETURNS To DC, HUGE Protests In Israel, Gal Gadot Blames Palestine For Flop, MSNBC Rebrands
31.4K14 -
1:19:29
The HotSeat
2 hours ago🚨 Dems Swear Mail-In Voting Is “Secure”… Trump Says HELL NO 🚨
14.2K7 -
LIVE
Reidboyy
8 hours ago $0.71 earnedNEW FREE FPS OUT ON CONSOLE TODAY! (Delta Force = BF6 Jr.)
58 watching -
29:20
Stephen Gardner
2 hours ago🔥YES! Trump unleashes Democrats’ worst nightmare!
16.9K7 -
![[Ep 731] Trump Leading the World | Islam NOT Compatible with West | Guest Sam Anthony [your[NEWS](https://1a-1791.com/video/fww1/93/s8/1/c/n/K/a/cnKaz.0kob-small-Ep-731-Trump-Leading-the-Wo.jpg)
LIVE
The Nunn Report - w/ Dan Nunn
2 hours ago[Ep 731] Trump Leading the World | Islam NOT Compatible with West | Guest Sam Anthony [your[NEWS
148 watching -
2:05:30
Side Scrollers Podcast
6 hours agoEveryone Hates MrBeast + FBI Spends $140k on Pokemon + All Todays News | Side Scrollers Live
84.9K4 -
46:56
The White House
6 hours agoPress Secretary Karoline Leavitt Briefs Members of the Media, Aug. 19, 2025
51K67