Why All DAST Products Suck! (And Why They Still Matter)
In this episode of the “Why All AppSec Products Suck” series, I focus on **Dynamic Application Security Testing (DAST)**—an approach I’ve spent 20+ years developing and refining. DAST tools simulate real-world attacks against running applications, making them powerful, but they also come with serious trade-offs.
I break down both the **strengths** and **limitations** of DAST and show you how to think about it as **one tool in a larger toolkit**, not a silver bullet.
🔍 **What you'll learn in this episode:**
- What DAST is and how it works differently from SAST or IAST
- Why DAST struggles with business logic flaws, JavaScript-heavy apps, and discovery
- Where DAST shines: working without source code, scanning any language, and catching runtime bugs
- How to balance false positives and ensure testing relevance
- How to combine DAST with other tools for maximum security coverage
---
⏱️ **Chapters:**
1. 00:00 – Intro: Why DAST is important (but imperfect)
2. 01:05 – My background: 20 years building DAST tools
3. 02:30 – Why one tool isn’t enough for AppSec
4. 04:10 – How DAST works: simulating users and probing sites
5. 06:10 – DAST’s challenge: discovering custom vulnerabilities
6. 07:30 – The evolution of app technologies (Ajax, JSON, SPAs)
7. 09:30 – Why DAST can’t detect business logic flaws
8. 11:00 – Handling crawling failures and limited visibility
9. 12:30 – The upside: DAST works without source code
10. 14:00 – False positives, automation, and operational integration
11. 15:30 – Final thoughts + why DAST still rocks with the right combo
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **More Content & Resources**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
-
36:03
Kimberly Guilfoyle
3 hours agoA New Day in DC: Appeals Court Throws Out Witch Hunt Case, Live! | Ep248
14.9K8 -
1:13:59
vivafrei
3 hours agoBig Tish Gets SPANKED! Appeal Court ANNULS $500 Million! Corruption at the FED? Trans Madness & MORE
81.7K22 -
1:53:59
The Quartering
3 hours agoToday's Breaking News!
72.1K9 -
5:38
Dr. Nick Zyrowski
10 days agoHow To Do a VITAMIN C Flush - Untold Truth!
33.5K2 -
8:21
MattMorseTV
3 hours ago $2.91 earnedTrump just SCORED a $500,000,000 LEGAL WIN.
31K14 -
1:00:00
The White House
8 hours agoVice President JD Vance Delivers Remarks at ALTA Refrigeration Inc
43.1K22 -
3:14:28
Barry Cunningham
5 hours agoBREAKING NEWS: PRESIDENT TRUMP HAS THE LETITIA JAMES FINE THROWN OUT BY APPELLATE COURT! WINNING!
47.1K19 -
2:11:05
Side Scrollers Podcast
7 hours agoDISASTROUS Cracker Barrel Rebrand + Destiny PDF Allegations + More | Side Scrollers Live
50.7K19 -
1:45:51
Reidboyy
4 hours ago $1.95 earnedNEW FREE FPS OUT ON CONSOLE NOW! (Delta Force = BF6 with Killstreaks)
35.7K1 -
4:40:16
GloryJean
7 hours agoAggressive Solos on MnK 🖱️ 6.7 K/D
42.3K