Why All DAST Products Suck! (And Why They Still Matter)
In this episode of the “Why All AppSec Products Suck” series, I focus on **Dynamic Application Security Testing (DAST)**—an approach I’ve spent 20+ years developing and refining. DAST tools simulate real-world attacks against running applications, making them powerful, but they also come with serious trade-offs.
I break down both the **strengths** and **limitations** of DAST and show you how to think about it as **one tool in a larger toolkit**, not a silver bullet.
🔍 **What you'll learn in this episode:**
- What DAST is and how it works differently from SAST or IAST
- Why DAST struggles with business logic flaws, JavaScript-heavy apps, and discovery
- Where DAST shines: working without source code, scanning any language, and catching runtime bugs
- How to balance false positives and ensure testing relevance
- How to combine DAST with other tools for maximum security coverage
---
⏱️ **Chapters:**
1. 00:00 – Intro: Why DAST is important (but imperfect)
2. 01:05 – My background: 20 years building DAST tools
3. 02:30 – Why one tool isn’t enough for AppSec
4. 04:10 – How DAST works: simulating users and probing sites
5. 06:10 – DAST’s challenge: discovering custom vulnerabilities
6. 07:30 – The evolution of app technologies (Ajax, JSON, SPAs)
7. 09:30 – Why DAST can’t detect business logic flaws
8. 11:00 – Handling crawling failures and limited visibility
9. 12:30 – The upside: DAST works without source code
10. 14:00 – False positives, automation, and operational integration
11. 15:30 – Final thoughts + why DAST still rocks with the right combo
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **More Content & Resources**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
-
3:40:28
Barry Cunningham
8 hours agoBREAKING NEWS: PRESIDENT TRUMP ADDRESSES AMERICA FROM THE OVAL OFFICE!
66K21 -
50:30
Sean Unpaved
5 hours agoInside the NFL: Ed Werder Talks Cowboys, Contracts, & Coaches
20.8K1 -
LIVE
GritsGG
8 hours agoWin Streaking! Most Wins 3390+ 🧠
153 watching -
LIVE
WolfsDenBoxing
1 hour agoThe Come Up Boxing Podcast - When you first walk in... What happens?
148 watching -
1:07:26
Jeff Ahern
1 hour agoFriday Freak out with Jeff Ahern
4.78K -
1:04:42
Crypto Power Hour
2 hours agoDeFi's SWIFT Replacement, 2026 Global Financial Revolution PART II
3.35K4 -
21:07
Silver Dragons
3 hours agoBullion Dealer on GOLD VS SILVER Next 15 Years (SHOCKING!)
4.39K1 -
20:29
T-SPLY
18 hours agoWashington Governor Under Risk Of Being Arrested!
13.4K29 -
2:08:43
The Quartering
4 hours agoTrump's Big Announcement LIVE & Today's News!
144K52 -
1:45:59
Tucker Carlson
5 hours agoAaron Lewis on Being Blacklisted from Radio & Why Record Labels Intentionally Promote Terrible Music
55.1K48