动态应用安全测试(DAST)
Learn how DAST actively investigates running applications with penetration tests 检测可能存在的安全漏洞.
InsightAppSec最后工具Topic Overview
什么是动态应用程序安全测试(DAST)?
动态应用安全测试(DAST) is a procedure that actively investigates running applications with penetration tests 检测可能存在的安全漏洞.
如今,Web应用程序为许多关键任务的业务流程提供了支持, 从面向公众的电子商务商店到内部财务系统. 虽然这些web应用程序可以实现动态业务增长, 他们也经常隐藏着潜在的弱点, 如果留下不明和未补救, 是否会迅速导致破坏性和代价高昂的数据泄露.
为了应对这一日益严重的威胁,企业正在越来越多地部署 动态应用安全测试(DAST)工具 as part of a more security-forward approach to web application development. DAST tools provide insight into how your web applications behave while they are in production, enabling your business to address potential vulnerabilities before a hacker uses them to stage an attack.
随着您的web应用程序的发展, DAST solutions continue to scan them so that your business can promptly identify and remediate emerging issues before they develop into serious risks.
为什么需要ast工具?
Web应用程序攻击 可能不会得到同样的头条 ransomware exploits do, but they are without question a major threat to businesses of all kinds. 最常见的一种基于网络的攻击是 SQL injection (SQLi), in which an adversary can gain complete control over a company’s web application database by inserting arbitrary SQL code into a database query.
Another is 跨站点脚本(XSS), in which attackers inject their own code into a web application with which they may then steal user credentials, session cookies, or other sensitive information—with neither the user nor the company having any idea that this has happened.
Hackers are known to target content management systems and e-commerce platforms in particular because they can harbor a concentration of vulnerabilities that, once discovered, 很容易被反复利用吗. 一旦web应用程序攻击正在进行中, 安全团队可能在相当长的一段时间内无法检测到它.
Meanwhile, 攻击者可以随心所欲地制造尽可能大的破坏, helping themselves to sensitive corporate and even client data that may lie in the database behind the web application, such as credit card numbers or personally identifiable information (PII).
对企业来说不幸的是, even relatively unskilled hackers can easily launch these kinds of attacks and, 希望能有丰厚的收入, 他们特别有动力这样做. They typically look for easily exploitable vulnerabilities in a web application, 比如那些在 OWASP Top 10,这样他们就可以发动网络攻击.
DAST工具以类似的方式运行, giving your security and development teams timely visibility into application behaviors and potential weaknesses that could be exploited before an enterprising hacker discovers and capitalizes on them.
DAST工具如何增强Web应用程序安全性
DAST tools continually search for vulnerabilities in a web application that is in production, hunting for weaknesses that attackers could try to exploit and then illustrating how they could remotely break into the system. 识别漏洞后, a DAST solution sends automated alerts to the appropriate teams so they can prioritize and remediate it.
With DAST tools, 企业可以更好地理解他们的web应用程序的行为, 在发展过程中不断强调新的和正在出现的弱点. By using DAST to identify vulnerabilities earlier in the software development lifecycle (SDLC), 公司可以在节省时间和金钱的同时降低风险.
Businesses can also use DAST to assist with PCI compliance and other types of regulatory reporting. Some companies may voluntarily use the OWASP Top 10 list of risks to application security as a compliance benchmark. Alternatively, third parties may request that the companies evaluate their own web applications and remediate the top vulnerabilities on that list.
除了精简 compliance, a DAST solution can also help developers spot configuration mistakes or errors and highlight specific user experience problems with web applications.
动态应用程序安全测试的三个技巧
1. 尽早并经常使用DAST以获得最佳效果
Companies reap maximum benefit from a DAST solution when they leverage it to identify potential weaknesses in their web applications, 特别是任务关键型应用程序, 在软件设计生命周期中越早越好. Companies that do not deploy DAST early on in the SDLC may find that it unnecessarily costs them far more money and staff time—not to mention a significant amount of frustration—to remediate the issues that they find.
2. 启用与DevOps的有效协作
DAST工具帮助您对发现的漏洞进行优先排序, 但要确保妥善解决, you must then effectively hand them off to your colleagues in the DevOps team. For this reason, it’s a good idea to fully integrate your DAST tools with the bug-tracking system your DevOps colleagues use. By providing your developers with precisely the right information they need to promptly remediate vulnerabilities, you can help them make security concerns a priority and bring your company closer to a DevSecOps mindset.
3. DAST works best as part of a comprehensive approach to Web应用程序安全测试
Although DAST can give busy security teams timely insight into the behavior of web applications once they are in production, SAST和应用渗透测试是其他有效的测试形式 Web应用程序安全测试 企业通常将其与DAST结合使用. SAST creates a useful snapshot of vulnerabilities in an application’s source code, 什么在早期特别有价值 SDLC. Application penetration testing provides a real-world demonstration of exactly how an attacker might break into a specific web application.
随着web应用程序攻击的增加, businesses are increasingly realizing that they must prioritize web application security early in the SDLC. By implementing a web application security scanner and incorporating some basic best practices for both Web应用程序安全测试 and vulnerability remediation, they can significantly reduce their risk and help keep their systems safe from opportunistic attackers.