Is it advisable to do DAST for COTS application like Sharepoint. Also what kind of vulnerabilities, we can expect in scanning result of a Sharepoint Application?
It is definitely a good idea, and they are just as at risk as any app for vulns, especially environmental and configuration vulns. Thanks for your question!
Hey team , I had a question on DevSecOps. Now a days teams are using DAST on environments like azure and AWS where sometimes in the frontend WAF is implemented already. And there is no point in using a DAST tool when WAF is on. Just checking if the DAST tool should be used in an environment that DAST is turned off or any idea how normally its done ?
Hi Chacko, DAST is important to identify issues in a running application that sometimes cannot be identified by other AST techniques. DAST can also confirm the exploitation of know vulnerabilities identified earlier in the SDLC. Running DAST scans early and often, shifting the scanning process as left as possible scanning from Dev all the way to the Production environment will increase the visibility for dangerous problems that can occur in your applications. Also, there is a misconception that a service running behind a WAF is safe by nature, which is not true. A common issue with WAFs are obfuscated attacks, that can circumvent the rules your WAF solution have in place. Fortify WebInspect (DAST) allows an automated creation of a set of WAF rules that can be applied to your WAF product, expediting the WAF staging process and helping to reduce the opportunity for obfuscated attacks. Similarly, WebInspect supports different sets of configurations that can make it suitable for the different SDLC phases you have, like (but not limited to) reducing the number of actives threads used for scanning, the custom cookies it inserts during the scanning process and the rules/checking coverage used for the test.
If you're asking which is better between SAST and DAST, that's a tough question to answer. There is no clear winner between the two. We encourage customers to do both to ensure they get comprehensive application security testing.
Enjoyed this webinar. Rick Smith does a terrific job in describing DAST.
Agree! We need more screen time from Rick!
It's very good explanation, can we see some DAST Usecases of to 10 App Testing scanarios
We are glad you found it useful. Thank you for the suggestion and we will aim to create a video on that topic in the future
Is it advisable to do DAST for COTS application like Sharepoint. Also what kind of vulnerabilities, we can expect in scanning result of a Sharepoint Application?
It is definitely a good idea, and they are just as at risk as any app for vulns, especially environmental and configuration vulns. Thanks for your question!
Hey team , I had a question on DevSecOps. Now a days teams are using DAST on environments like azure and AWS where sometimes in the frontend WAF is implemented already. And there is no point in using a DAST tool when WAF is on. Just checking if the DAST tool should be used in an environment that DAST is turned off or any idea how normally its done ?
Hi Chacko, DAST is important to identify issues in a running application that sometimes cannot be identified by other AST techniques. DAST can also confirm the exploitation of know vulnerabilities identified earlier in the SDLC. Running DAST scans early and often, shifting the scanning process as left as possible scanning from Dev all the way to the Production environment will increase the visibility for dangerous problems that can occur in your applications. Also, there is a misconception that a service running behind a WAF is safe by nature, which is not true. A common issue with WAFs are obfuscated attacks, that can circumvent the rules your WAF solution have in place. Fortify WebInspect (DAST) allows an automated creation of a set of WAF rules that can be applied to your WAF product, expediting the WAF staging process and helping to reduce the opportunity for obfuscated attacks. Similarly, WebInspect supports different sets of configurations that can make it suitable for the different SDLC phases you have, like (but not limited to) reducing the number of actives threads used for scanning, the custom cookies it inserts during the scanning process and the rules/checking coverage used for the test.
When can you skip DAST and not SAST?
Ideally...you wouldn't skip DAST.
Which is better if I only had to do one?
Just to clarify, are asking about choosing between SAST and DAST if you can only do one?
If you're asking which is better between SAST and DAST, that's a tough question to answer. There is no clear winner between the two. We encourage customers to do both to ensure they get comprehensive application security testing.
Both are needed