Dynamic application security testing, or DAST, evaluates a running application by interacting with it from the outside to identify security weaknesses in behavior and responses. It matters because some vulnerabilities only become visible when the application is actually executing.
What is Dynamic Application Security Testing (DAST)?
DAST tools test a live application by sending requests, probing inputs, and observing outputs for signs of vulnerabilities such as injection, authentication weaknesses, and insecure session handling. It is commonly used against web applications and APIs.
What DAST Commonly Finds
Common findings include reflected injection issues, insecure headers, authentication problems, exposed error behavior, weak session handling, and externally visible misconfigurations.
DAST vs. SAST
DAST tests a running application from the outside. SAST analyzes code before runtime.
Frequently Asked Questions
Why is DAST useful?
Because it helps teams validate how an application behaves in practice and can reveal issues that static review alone may miss.
Does DAST understand business logic deeply?
Not usually. It is strong for observable runtime issues, but deeper workflow abuse and logic flaws often need human testing too.
Related Cybersecurity Terms
- Static Application Security Testing (SAST)
- Business Logic Flaw
- Application Security (AppSec)
- API Security
