Why All DAST Products Suck! (And Why They Still Matter)
In this episode of the “Why All AppSec Products Suck” series, I focus on **Dynamic Application Security Testing (DAST)**—an approach I’ve spent 20+ years developing and refining. DAST tools simulate real-world attacks against running applications, making them powerful, but they also come with serious trade-offs.
I break down both the **strengths** and **limitations** of DAST and show you how to think about it as **one tool in a larger toolkit**, not a silver bullet.
🔍 **What you'll learn in this episode:**
- What DAST is and how it works differently from SAST or IAST
- Why DAST struggles with business logic flaws, JavaScript-heavy apps, and discovery
- Where DAST shines: working without source code, scanning any language, and catching runtime bugs
- How to balance false positives and ensure testing relevance
- How to combine DAST with other tools for maximum security coverage
---
⏱️ **Chapters:**
1. 00:00 – Intro: Why DAST is important (but imperfect)
2. 01:05 – My background: 20 years building DAST tools
3. 02:30 – Why one tool isn’t enough for AppSec
4. 04:10 – How DAST works: simulating users and probing sites
5. 06:10 – DAST’s challenge: discovering custom vulnerabilities
6. 07:30 – The evolution of app technologies (Ajax, JSON, SPAs)
7. 09:30 – Why DAST can’t detect business logic flaws
8. 11:00 – Handling crawling failures and limited visibility
9. 12:30 – The upside: DAST works without source code
10. 14:00 – False positives, automation, and operational integration
11. 15:30 – Final thoughts + why DAST still rocks with the right combo
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **More Content & Resources**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
-
2:43:56
TimcastIRL
7 hours agoJimmy Kimmel FIRED, ABC Pulls Show Over Charlie Kirk Assassination Comments | Timcast IRL
373K202 -
1:58:02
Barry Cunningham
7 hours agoJIMMY KIMMEL CANCELLED | OBAMA IS WHINING! | JD VANCE ON JESSE WATTERS!
104K120 -
2:34:46
TheSaltyCracker
7 hours agoWe Got Him Fired ReeEEStream 9-17-25
150K362 -
43:44
Man in America
9 hours agoAmericans Are About to Lose Everything—And They Don’t Even Know It
54.2K27 -
1:41:11
Adam Does Movies
2 days ago $2.89 earnedTalking Movies + Ask Me Anything - LIVE
41.9K2 -
3:40:08
I_Came_With_Fire_Podcast
15 hours agoNASA Blocks China, TPUSA BOOSTED, Chinese Spamoflauge, & Factional Division
41.6K6 -
33:40
Jamie Kennedy
7 hours agoEp 222 Processing the Loss of Charlie Kirk | HTBITY with Jamie Kennedy
62.1K19 -
1:32:05
Badlands Media
22 hours agoAltered State S3 Ep. 46: Tactical Nukes, Thermite, and the 9/11 Puzzle
74.7K10 -
9:18
ARFCOM News
12 hours ago $1.97 earnedNSSF "Celebrates" ATF Partnership | Glocks BANNED | Redundant Spooky Boi Ban
39.3K9 -
13:09:13
LFA TV
20 hours agoLFA TV ALL DAY STREAM - WEDNESDAY 9/17/25
309K61
