Building DAST into an MSSP Customer’s Web Application Security Program

API – Application Programming Interface. software development tool. API inscription on a tech background. 3d render..

When evaluating managed security service providers (MSSPs), companies may not have sufficient knowledge about the importance of a quality DAST (dynamic application security testing) solution to provide regular and scalable security testing.

Having direct and educational conversations with potential customers about DAST and AppSec, in general, will help MSSPs and their customers build better partnerships and improve security postures overall.

Conversation Point 1: Application Security Testing is Key

DAST solutions have become security table stakes in a world where web apps are a regular target of attacks and purely manual screening methods are too slow and limited in scope to consistently cover all application vulnerabilities. “Endpoints and humans are often the weak points, and web-facing apps are now being attacked more frequently,” said Matt Hubbell,Invicti’s Director of MSSP, North America.

Unfortunately, application security isn’t always given the attention it needs. According to Akamai’s recent “Web Application and API Threat Report,” web application attack attempts against Akamai customers grew by more than 300% year over year in the first half of 2022 – the largest increase ever observed. This only serves to reinforce why it’s important that companies choose an MSSP that provides application security testing services.

By bringing a DAST solution to the table for customers, MSSPs can take advantage of automated scans to help protect their customers’ web applications and quickly bring vulnerabilities to the attention of developers.

Conversations Point 2: Scan Web Apps and APIs More Than Once in a While

“People who just scan their apps once in a while aren’t really protecting themselves,” warned Hubbell.

DAST tools analyze running web applications and application programming interfaces (APIs) from the outside in, safely simulate external attacks on production systems, and then observe the responses. Used correctly, DAST can improve a company’s overall security posture and reduce the risk of a cyberattack.

Some DAST solutions can also include IAST tools to examine web apps from the inside by integrating security testing into the runtime environment. IAST tools monitor running code to detect security vulnerabilities in real-time and identify and isolate the root causes of vulnerabilities at the code level, including those that are not visible from external API interactions. IAST fills the gap between static application security testing (SAST), which checks static code, and DAST, which checks the running application’s behavior.

“The sooner in the software development process a company can find and fix security issues, the safer its business will be – especially in this age of continuous deployment and integration (CI/CD), where code is refined daily or even hourly," said Hubbell. "Everyone makes mistakes; for example, a common coding error could allow unverified inputs, which could turn into SQL injection attacks that may result in data leaks. The challenge is to find those mistakes in a timely fashion, and MSSPs must be able to scale up their testing regime."

Advanced DAST solutions can help them accomplish that.

“The goal is to make these tools part of the software stack to identify and prevent vulnerabilities,” he said. “And the faster the tool is to run, the more accurate its findings can be.”

Conversation Point 3: Good DAST Benefits Everyone

A quality DAST solution offers key benefits to both MSSPs and their customers. Among them are:

  • Cost-effectiveness. DAST can identify application vulnerabilities quickly and efficiently by running regular automated scans across an MSSP customer’s entire applications portfolio. This helps to optimize the costs of time-consuming manual testing while also quickly spotting potential issues before they result in a data breach or costly downtime.
  • Compliance. Many industries, such as healthcare and finance, have compliance requirements that mandate regular vulnerability scanning and testing of web apps and APIs. By offering DAST capabilities as part of their services, MSSPs help their customers meet these requirements and avoid potential fines, penalties, or the need to fix problems flagged by security audits.
  • Data integrity. Web applications and APIs often handle sensitive business and customer data, such as personal information, financial data, and medical records. By identifying vulnerabilities with DAST, companies can protect their customer data from unauthorized access or theft in case of a breach.

Application security is more important than ever in this fast-paced digital world. MSSPs that provide a quality DAST solution demonstrate to their own customers, partners, and stakeholders their commitment to a more comprehensive security solution that covers web application and API security.

Guest blog courtesy of Invicti, an international web app security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program