The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Dynamic Application Security Testing

Dynamic Application Security Testing (DAST) evaluates an application in its running state to identify security vulnerabilities in deployed environments.

Unlike SAST, which examines the code statically, DAST dynamically inspects the application by executing it and observing its behavior.

  • DAST treats the application as a “black box”, meaning it doesn’t require access to the source code. It interacts with the application just as an external attacker would.
  • DAST tools simulate various attack vectors, such as SQL injection, cross-site scripting (XSS), command injection, and other input manipulation attempts to see how the application reacts.

There are two approaches to DAST scanning:

  • Passive mode: Sends normal requests to the web application and analyzes responses.
  • Active mode: Simulates malicious behavior, attempting to break the application.

DAST Best Practices

  1. Integrate DAST Early in CI/CD

    • Run DAST as part of your CI/CD pipeline to catch issues before deployment.
  2. Use a Realistic Test Environment

    • Test against an environment that closely mirrors production: data, configuration, authentication…
  3. Define Clear Scopes for Tests

    • Decide which endpoints, user roles, and business flows are in-scope. Limit tests to agreed-upon boundaries to avoid disrupting critical systems or sensitive data.
  4. Focus on Critical Vulnerabilities and Application Components

    • Prioritize scans on high-value areas such as authentication, authorization, and data entry points.
    • Use risk-based assessments to target the most important parts of your application.
  5. Leverage Fuzz Testing and API Security Testing

    • Complement standard DAST scanning with fuzzing to find edge case vulnerabilities.
    • Include API endpoints in your scan coverage due to their increasing attack surface.
  6. Regularly Update and Tune DAST Tools

    • Ensure tools/libraries are kept up to date to catch the newest threats.
    • Tune scanners to minimize false positives and improve accuracy.

Common Pitfalls to Avoid

  1. Overlooking Business Logic Vulnerabilities

    • DAST scanners may miss complex, custom business logic flaws—supplement automated scanning with manual testing when possible.
  2. Using Incomplete or Unrealistic Test Environments

    • Scanning in “mock” environments can miss configuration issues, real-world data flaws, authentication challenges, and integrations.

DAST Tools in Software Factory

  • GitLab DAST offers integrated DAST capabilities, including API scanning and fuzz testing.

How to Perform DAST in Software Factory

➡️ To implement DAST with GitLab, refer to Howto enable GitLab DAST .