Application SecurityDynamic & Interactive Application Security Testing

Automated penetration tests against your web applications 

Dynamic Application Security Testing (DAST) uses the black box approach compared to SAST to check your application for security vulnerabilities. The application is only tested at runtime, i.e. dynamically during operation. This checks the behavior of the application without knowing the source code (black box approach). DAST should therefore be used especially in the test phase of the software development lifecycle (SDLC) in order to carry out security tests in addition to load, performance and function tests with DAST.

With the help of Interactive Application Security Testing (IAST) you can extend the black-box approach of DAST to a gray-box approach: With IAST, additional data is collected from the application during the tests in order to refine the results of DAST.

In connection with SAST, a holistic overview of the security level of your applications can be obtained.


Thomas Jähnig
CEOThomas Jähnig+49 351 4400 8124+49 157 7465
Die dynamissche Sicherheitanalyse von Anwendungen sucht nach Schwachstellen in der Anwendung während der Ausführung

What is Dynamic Application Security Testing? 

With dynamic security analysis ("Dynamic Application Security Testing") an application is tested - similar to load and performance tests or functional tests - during runtime.

The tools used imitate an attacker who examines the running application for weak points and simultaneously carries out various attacks such as cross-site scripting (XSS) or SQL injections. The behavior of the application during these attacks can be used to gain a picture of the extent to which the application is susceptible to these attacks.

Compared to the static security analysis of an application (SAST), real attacks are carried out here and not only viewed theoretically on the basis of the source code. This enables you to check exactly whether the vulnerabilities found with the help of SAST can actually be exploited.

What you should know


  • Errors are found in the runtime environment (such as weak TLS encryption)
  • Lower false positive rate than SAST
  • At the same time, security systems that are additionally built around the application (e.g. network intrusion detection systems) can be checked for correct functionality


  • Depending on the size of the application, the scans can take a long time, sometimes several days. This means that any changes made during this time cannot be taken into account.
  • DAST can only be used very late in the development cycle, as an executable application is required. Here, however, the static analysis (SAST) of an application can help to get an overview of the security level during the source code development.
Vor- und Nachteile der dynamischen Sicherheitsanalyse
Bei der interaktiven Sicherheitsanalyse werden auch Systeme und Systemdaten in die Analyse einbezogen

What is Interactive Application Security Testing? 

The interactive security analysis extends the dynamic analysis. In addition to the data that the scanner receives in the HTTP responses during testing with DAST tools, additional system data is also transferred from the application server to the scanner.

This gives the scanner deeper insight and can receive further information, such as hidden paths in the application or system log entries. With the help of this information, further attacks can be carried out and the results can be better assessed.

Most tools require an additional agent to be installed on the application server to provide this information.

What you should know


  • An even lower false positive rate than with DAST without IAST


  • An additional agent must be installed
Vor- und Nachteile der interaktiven Sicherheitsanalyse

Any questions?

We are happy to provide you with know-how, specific support services and associated license and support offers.

Background Image Mobile Version