Both SAST and DAST are typically used in pre-production testing (during the QA phase). For highly critical applications, manual penetration testing is also recommended. Our solutions integrate with widely-used WAFs such as Imperva so you can quickly mitigate vulnerabilities via virtual patching.
DAST tests applications in a running state by probing their exposed web interfaces from the “outside in.” For this reason, it is often called “black box” testing. DAST typically looks for vulnerabilities such as SQL injection and cross-site scripting as well as issues that only surface when the application is running such as authentication vulnerabilities and server misconfiguration errors. It’s important to test both credentialed and anonymous access, since some vulnerabilities may not be visible to a random attacker, but show up when logging in as a known user.
Random black box testing is more representative of how an outside cyber-criminal will act, but it takes longer to run and cannot exercise all data and control paths through the application in the same way that SAST does.
Since pre-production environments are usually located behind the firewall, we also provide a Virtual Scanning Appliance (VSA). The VSA is a locally-installed virtual appliance (software-based) that provides full DAST capabilities and is fully-integrated with our central cloud-based platform. This allows local DAST results to be managed via a single set of policies and reports, in combination with automated SAST and manual penetration testing results, to maximize accuracy and minimize false positives.