Dynamic Application Security Testing (DAST) uses the black box approach compared to SAST to check your application for security vulnerabilities. The application is only tested at runtime, i.e. dynamically during operation. This checks the behavior of the application without knowing the source code (black box approach). DAST should therefore be used especially in the test phase of the software development lifecycle (SDLC) in order to carry out security tests in addition to load, performance and function tests with DAST.
With the help of Interactive Application Security Testing (IAST) you can extend the black-box approach of DAST to a gray-box approach: With IAST, additional data is collected from the application during the tests in order to refine the results of DAST.
In connection with SAST, a holistic overview of the security level of your applications can be obtained.
The tools used imitate an attacker who examines the running application for weak points and simultaneously carries out various attacks such as cross-site scripting (XSS) or SQL injections. The behavior of the application during these attacks can be used to gain a picture of the extent to which the application is susceptible to these attacks.
Compared to the static security analysis of an application (SAST), real attacks are carried out here and not only viewed theoretically on the basis of the source code. This enables you to check exactly whether the vulnerabilities found with the help of SAST can actually be exploited.
The interactive security analysis extends the dynamic analysis. In addition to the data that the scanner receives in the HTTP responses during testing with DAST tools, additional system data is also transferred from the application server to the scanner.
This gives the scanner deeper insight and can receive further information, such as hidden paths in the application or system log entries. With the help of this information, further attacks can be carried out and the results can be better assessed.
Most tools require an additional agent to be installed on the application server to provide this information.