As the CISO of a high-growth company in a highly-regulated industry, application security is my top priority. I selected the top DAST tools based on my experience and our research efforts. Follow the links for the rationale behind each selection:
| Software | For | |
|---|---|---|
1. | Web Application Scanning | |
2. | Pentesting | |
3. | Identifying & Tracking Vulnerabilities | |
4. | Network Scanning and Security | |
5. | Enterprise-grade application vulnerability assessments | |
| Show More (5) | ||
6. | Mobile app scanning | |
7. | DAST in fast-paced CI/CD environments | |
8. | Real-time risk mitigation | |
9. | Analyzing vulnerabilities directly within running applications | |
10. | Free / open source DAST | |
There are 20+ DAST tools available in the market, choosing the right tool can be complex. When choosing a DAST tool, users often consider:
- Integration with SIEM and ticketing tools
- Deployment options, such as on-prem, hybrid, or cloud
- Features such as XSS detection, SQL injection detection, and Oauth 2.0 Integration
- Scalability to handle applications of various sizes and complexities and to scale with the organization’s growing needs.
Top 10 DAST tools compared
| Vendors | Reviews** | Free Trial*** | Employees | Price |
|---|---|---|---|---|
| Invicti | 4.6 based on 203 reviews | ✅ | 300 | Not shared publicly |
| PortSwigger Burp Suite | 4.7 based on 124 reviews | ✅ | 190 | From $449 to $49,000 per year (Professional edition, per person vs Enterprise edition.) Also has a free “community” version. |
InsightVM Rapid7 | 4.4 based on 94 reviews | ✅ (30-day) | 2,700 | Pricing is asset-based (at least 512 assets).1 |
| Tenable Nessus Professional | 4.6 based on 88 reviews | ✅ (7-day) | 2,100 | Tenable Nessus has 3 pricing edition(s), from $3,590 to $5,290 annually. |
| HCL AppScan | 4.0 based on 82 reviews | ✅ (30-day) | 10,000 | Not shared publicly |
Contrast Assess | 4.5 based on 49 reviews | ❌ | 300 | Not shared publicly |
Indusface WAS | 4.5 based on 58 reviews | ✅ (14-day) | 150 | Has a free “basic” plan. Advanced plan, priced at $59 per month. A premium plan at $199 per month. |
Checkmarx DAST | 4.2 based on 34 reviews | ❌ | 130 | Not shared publicly |
NowSecure | 4.6 based on 26 reviews | ✅ | 118 | Not shared publicly |
OWASP ZAP (Zed Attack Proxy) | 4.7 based on 11 reviews | Open Source | N/A**** | Open Source |
** Reviews are based on Capterra and G2.
*** Free trial period is included if it is publicly shared.
**** Community-driven, non-profit foundation
These solutions include both paid and free DAST solutions. If you’re only interested in free solutions, check out free DAST tools.
Integration capabilities of DAST tools
| Vendor | Integration with SIEM tools | Ticketing tool integrations |
|---|---|---|
| Invicti | Splunk | Built-in, Jira, ServiceNow |
PortSwigger Burp Suite | Built-in, Jira | |
| InsightVM Rapid 7 | Splunk, McAfee ESM,Sumo Logic | Built-in, Jira, ServiceNow |
| Tenable Nessus Professional | Splunk, IBM QRadar, McAfee ESM | Built-in, Jira, ServiceNow |
HCL AppScan | IBM Security QRadar | Jira, ServiceNow |
| NowSecure | Jira | |
Checkmarx DAST | Splunk | Jira, ServiceNow |
Indusface WAS | Sumo Logic, RSA, Splunk, McAfee ESM | |
Contrast Assess | Azure Sentinel, Datadog, Splunk, Sumo Logic | Jira |
OWASP ZAP |
Features of DAST tools
| Vendor | Deployment options | Detect XSS | Detect SQL injection | OAuth 2.0 |
|---|---|---|---|---|
| Invicti | On-Prem, Cloud, Hybrid | ✅ | ✅ | ✅ |
PortSwigger Burp Suite | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
| InsightVM Rapid 7 | On-Prem, Cloud, Hybrid | ❌ | ❌ | ❌ |
| Tenable Nessus Professional | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
HCL AppScan | On-Prem, Cloud, Hybrid | ✅ | ✅ | ✅ |
| NowSecure | On-Prem, Cloud | ❌ | ❌ | ❌ |
Checkmarx DAST | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
Indusface WAS | Cloud | ✅ | ✅ | ❌ |
Contrast Assess | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
OWASP ZAP | On-Prem | ✅ | ✅ | ✅ |
To understand why these differentiating features are important, check the definitions and significance of each feature.
Top DAST tools analyzed
Invicti: Best for Web Application Scanning
Invicti’s Dynamic Application Security Testing (DAST) tool leverages a dynamic and interactive scanning approach (DAST + IAST). Invicti’s DAST solution’s
- Deployment can be on-prem, public or private cloud and hybrid.
- Features include Web Application Firewall and Oauth 2.0 integration.
- Best known for web application security scanning, which can scan internal or external websites.
Pros
- Most promising features of Invicti are:
- its ability to confirm access vulnerabilities and SSL injection vulnerabilities,
- its connectors to other security tools.
- Users argue that Invicti’s baseline scanning and incremental scan are valuable features.
- Invicti’s proof-based scanning helps reduce vulnerability validation time so users can focus on finding more complex vulnerabilities.
Cons
- False positive analysis and vulnerability analysis libraries could be improved.
- Specificity of the reports generated by the tool could be improved
- Licensing model could be more cost-effective.
PortSwigger Burp Suite: Best for Pentesters
PortSwigger’s Burp Suite focuses on both automated and manual Dynamic Application Security Testing (DAST). Burp Suite incorporates methods like out-of-band testing (OAST). Burp Suite is available in different editions, including the Professional, Enterprise, and Community editions.
Professionals who seek to enhance their penetration testing use PortSwigger. The UI may be complex for users who lack technical expertise. The community edition can scan or crawl web apps internally or externally, while the paid version provides additional capabilities for enterprises that seek a more complex tool.
Pros
- Straightforward setup process, as mentioned by multiple reviewers.
- Accuracy in comparison to other solutions, reporting fewer false positives.
- The automated scan feature is particularly useful for customers needing basic security assurance.
Cons
- Stability issues, particularly in terms of high memory usage while scanning.
- Integrations: It could offer better integration with tools like Jenkins for automating dynamic application security testing (DAST).
- Reporting: There are concerns about the quality of reporting, with some finding it not very informative.
InsightVM Rapid7: Best for Identifying and Tracking Vulnerabilities
InsightVM from Rapid7 is not a DAST tool but a vulnerability management solution to detect threats in IT environments. It utilizes Rapid7’s vulnerability research, insights into global attacker activities, and internet scanning data.
It also includes integration with Rapid7’s Metasploit to confirm exploits. The platform provides capabilities like real-time monitoring and evaluations of cloud, virtual, and container assets, which makes it adaptable for varied and evolving IT settings.
This integration also makes it a suitable option for penetration testing. InsightVM has strong SIEM, tracking of vulnerabilities, and live observation with endpoint agents.
Pros
- Agent-based platform of the tool allows users to concentrate on making enhancements while managing underlying dependencies with ease.
- It clearly highlights vulnerabilities and prioritizes remediation efforts, making it useful for managing vulnerabilities and patches.
- Its use of real risk scores, along with features like agent and engine support, SCCM-assisted patching, hardening checks, remediation projects, and SLAs, is effective.
Cons
- Memory consumption can be high
- Immature and inconsistent graphical user interface (GUI). and Query builder is limited.
- Bugs in complex vulnerability checks sometimes take a long time to resolve. Setting up reports to be concise can be challenging.
Tenable Nessus Professional: Best for Network scanning and Security
Tenable Nessus Professional conducts vulnerability assessments through evaluative and agentless scans. Multi-year subscriptions are available for Nessus Professional, which encompass enhanced support services such as telephone, community forums, and live chat assistance.
Tenable Nessus has a more expensive version, Tenable Nessus Expert, which adds features such as web application scanning and external attack surface scanning.
We discussed the pricing of dast tools and more in the “DAST Pricing: Comparison of Vendor’s Fees” article.
Pros
- User-friendly graphical interface and superior detection capabilities.
- Satisfactory customer support
- Dual implementation approach, which includes both agent-based and credentials-based solutions.
- Frequent updates to incorporate the most recent vulnerabilities, along with recommendations for remediation.
Cons
- Some users have mentioned experiencing variability in both the duration of scans and the consistency of results with the tool.
- Retrieving reports over an extended timeframe can be time-consuming, indicating that both the scanning and reporting processes require a significant amount of time.
If you are already using Tenable Nessus and looking for alternatives, you can read our article “Tenable Nessus Alternatives”.
HCL AppScan
The AppScan suite includes several products (AppScan on Cloud, AppScan 360, AppScan Standard, AppScan Source, and AppScan Enterprise). HCL AppScan includes integration capabilities with various development and deployment environments, regulatory compliance reporting, and customization through the AppScan Extension Framework.
Pros
- Among the top 2 performers in our DAST benchmark with a
- high true positive rate
- low false positive rate
- high accuracy rate in assigning severity to issues
- Quick responses to feature requests.
- Clear remediation suggestions facilitate ease of use for developers
Cons
- In our view, dashboard and overview section in reports lag behind other commercial DAST tools.
- has limited integration with some of the container technologies
- CI/CD integration and scalability can be challenging due to
- Licensing restrictions
- Slow scan duration. It had the slowest scan time in our benchmark.
NowSecure: Best for Mobile App Scanning
NowSecure DAST is focused only on mobile application testing, it does not provide web application testing.
Since the mobile app scanning market is limited, few tools are focused solely on mobile app scanning. NowSecure could be a suitable option for businesses that
- Test only mobile applications.
- Can afford a dedicated tool for mobile app scanning.
Pros
- Users cite that the platform is easy to integrate and has an intuitive interface.
- Reporting capabilities of the tool are advanced
Cons
- Testing can be complex and require manual intervention.
- Cost of the service can be a challenge for smaller companies.
- Customization options are not widely available.
Checkmarx DAST
Checkmarx DAST can be deployed on-prem, hybrid, or cloud. It offers SQL injection detection and XSS detection. Checkmarx DAST is part of the Checkmarx One platform, which consolidates various application security tools (such as SAST, API Security, Container Security, etc.) into a single platform.
Pros
- Checkmarx finds noticeably higher vulnerabilities than free tools.
- Centralized reporting functionality can be helpful with tracking issues.
Cons
- Some users have reported that Checkmarx has a slightly difficult compilation with the CI/CD pipeline.
- Some users have reported that the interactive application security testing (IAST) part needs improvement.
Indusface WAS
The Indusface DAST provides cloud-based Web Application Firewall (WAF) features. Indusface WAS cannot be deployed on prem, which could be seen as a negative if users wish to avoid using cloud services.
Pros
- The tool is capable of running complex workloads.
- Support: Users state that the tools have quick support and timely responsiveness, also stating that the team is knowledgeable and efficient.
Cons
- Time-out time after inactivity in the portal can be longer.
- User interface can be made more intuitive and informative for the user. The design looks dated.
Contrast Assess
Contrast Security’s tool, Contrast Assess, primarily uses an Interactive Application Security Testing (IAST) approach.
Pros
- Users state that Contrast Asses is a stable solution.
- Users state that the solution is accurate in identifying vulnerabilities. Multiple users also noted that the real-time code evaluation feature is helpful.
Cons
- Users have argue that the solution should provide more details in the section showing that third-party libraries have CVEs or some vulnerabilities.
- Some users cite their concern about the scalability of the solution.
OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool. It acts as a man-in-the-middle proxy, which allows it to intercept and inspect messages sent between a browser and a web server to find security holes in real-time.
During our experience with the tool, we identified these:
Pros
- Low false positive rate
- Easy to use, especially for an open-source tool.
- Integrations to DevSecOps tools like DefectDojo.2
Cons
- Limited vulnerability detection rate.
- It takes considerable time to analyze big applications but it can be fast for small applications
- In terms of integrations ZAP lags behind commercial web scanning applications which can also lead to more manual work.
Why are the differentiating features important?
Integration with SIEM Tools
SIEM (Security Information and Event Management) systems analyze real-time security alerts from network devices and applications. Integrations with them are valuable for DAST tools as they provide a centralized view for monitoring and responding to security threats detected during dynamic scans.
Ticketing Tool
In the context of DAST tools, a ticketing tool is an integrated or connected system that helps manage and track issues found during security tests. For example, when a DAST tool identifies a vulnerability, such as SQL injection or cross-site scripting (XSS), it can automatically create tickets for these issues within the ticketing tool. This helps organizations track the status of each vulnerability from discovery to resolution.
Deployment
On-Prem Deployment
On-prem DAST tools are installed and managed within an organization’s own infrastructure. This model provides the highest level of control over the security and maintenance of the tools and the data they process. It’s particularly beneficial for industries with stringent compliance requirements, such as financial services, healthcare, and government sectors. These organizations often require full oversight of their security tools due to the sensitive nature of their data.
While this deployment model can lead to higher upfront costs due to the necessary investment in hardware and personnel, it offers reduced latency and potentially higher performance, essential for organizations with large, complex applications.
Cloud-Based Deployment
Cloud-based DAST solutions are hosted on the provider’s servers and accessed over the internet. This model offers scalability, allowing organizations to easily increase or decrease their testing capacity based on current needs without the need for physical infrastructure changes.
It typically operates on a subscription basis, eliminating large upfront investments and ongoing hardware maintenance costs. Cloud deployment also enhances accessibility, enabling security teams to conduct tests from anywhere, which is an advantage for companies with remote teams or multiple locations. However, it involves trusting a third-party provider with sensitive data, which may not be suitable for all types of businesses.
Hybrid Deployment
Hybrid deployment models combine on-prem and cloud-based components. Hybrid models provide flexibility in data handling and tool deployment, enabling sensitive data to be processed on-premises while less critical operations can be managed in the cloud. This approach helps balance the need for control and customization with the benefits of scalability and cost reduction.
XSS Detection
Cross-site scripting (XSS) detection is a crucial feature for DAST tools due to the prevalence and impact of XSS vulnerabilities in web applications. XSS vulnerabilities exploit how browsers parse HTML and JavaScript, enabling attackers to inject malicious scripts into web pages viewed by other users. This can lead to various security breaches, including data theft, session hijacking, and malicious redirection, thereby compromising user trust and data integrity.
The complexity and variability of XSS attacks necessitate sophisticated detection mechanisms. DAST tools address this need by actively testing web applications from an outside perspective, mimicking the actions of a potential attacker. By simulating attempts to exploit XSS and other vulnerabilities, DAST tools help organizations identify and mitigate security risks promptly, maintaining the security and integrity of their web applications. This capability is integral to ensuring the comprehensive security coverage needed in today’s cybersecurity landscape.
SQL injection detection
SQL Injection detection is a critical capability for Dynamic Application Security Testing (DAST) tools due to the severe impact SQL Injection attacks can have on an organization. These attacks allow an attacker to interfere with the queries that an application makes to its database, potentially enabling unauthorized viewing of user lists, deletion of entire tables, and, in some cases, gaining administrative rights to a database system.
Given the ubiquity of SQL databases in web applications and the potential for significant data breaches or loss, the ability to detect SQL Injection vulnerabilities early in the software development lifecycle is imperative. By simulating attack patterns used in SQL Injection, DAST tools can identify vulnerable spots in applications where unsanitized user input might be incorrectly executed as SQL commands, thereby helping to prevent potential exploits.
OAuth 2.0 integration
OAuth 2.0 integration in DAST tools is pivotal for assessing the security of modern web applications that utilize this standard for delegated authorization. By simulating authenticated sessions and testing the application’s OAuth 2.0 implementation, DAST tools can uncover vulnerabilities in authorization flows, token handling, and other critical areas that could lead to unauthorized data access or breaches.
This integration ensures that DAST tools can effectively evaluate the security of applications in real-world scenarios, where OAuth 2.0 plays a fundamental role in user authentication and access control, thereby maintaining the integrity and confidentiality of sensitive information in an increasingly interconnected digital landscape.
Core features of DAST tools
- Vulnerability Scanning
- Dynamic Crawling
- API Coverage
- Security Reporting
- Authentication Handling
For an in depth look at vulnerability scanning see:
How did we choose the top DAST tools?
In our evaluation of the top DAST tools, we used two publicly accessible criteria in addition to features of these tools:
- Employee Count: 1oo+
- Reviews on B2B Platforms: 10+ reviews from B2B platforms (e.g. G2, Capterra)
FAQ
What is a DAST Tool?
DAST tools are application security solutions that detect vulnerabilities in web applications while running in a live environment. They simulate attacks from a malicious user’s perspective to identify potential security issues. They can also be considered a part of vulnerability scanning tools.
How Do DAST Tools Work?
DAST tools typically interact with an application through its front end, testing for vulnerabilities like SQL injection, cross-site scripting (XSS), and other standard security threats. They do not require access to the source code.
Who Should Use DAST Tools?
DAST tools are essential for security teams, developers, and IT professionals involved in maintaining the security of web applications. They are particularly useful for organizations with dynamic, frequently updated web applications.
What are the Benefits of Using DAST Tools?
The main benefits include the ability to identify real-world attack vectors, ease of use without needing access to source code, and the capacity to test applications in their final running state.
Can DAST Tools Replace Other Security Testing Methods?
No, DAST complements other testing methods like static application security testing (SAST) and interactive application security testing (IAST). A comprehensive security strategy requires a mix of different testing approaches.
Are There Limitations to DAST Tools?
Yes, DAST tools can miss vulnerabilities that are not exposed through the web interface, and they might generate false positives. They also can’t typically assess the source code for underlying issues.
How Often Should DAST Tools be Used?
It’s recommended to use DAST tools regularly, especially after significant changes to the application or its environment. Continuous integration environments may benefit from more frequent testing.
Can DAST Tools Test Mobile Applications?
Some DAST tools are capable of testing mobile applications, but their effectiveness can vary depending on the tool and the specific application architecture.
Are DAST Tools Suitable for All Web Applications?
DAST tools are versatile, but their effectiveness can vary depending on the complexity and technology of the web application. They are generally more effective for traditional web applications than for single-page applications or services using extensive client-side scripting.
External Links
- 1. "Burp Suite Enterprise Edition plans". PortSwigger. Retrieved on June 9, 2024
- 2. ZAP – Third Party Products and Services.
Comments
Your email address will not be published. All fields are required.