About dynamic analysis (DAST)

An AppScan 360° dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.

Stage1: Explore

The Explore stage can be run automatically as part of an automatic scan, or manually by the user, or a combination of both.

During the first stage, and starting from the URL you configure, AppScan 360° crawls your application by simulating a web user clicking on links and completing form fields, building an understanding of the application's structure.

AppScan 360° analyzes the responses to each Explore request, looking for any indication of a potential vulnerability. When AppScan 360° receives a response that may indicate a security vulnerability, it creates one or more tests based on the response, as well as noting the validation rules needed to determine which results constitute vulnerability, and the level of security risk involved.

Before sending the site-specific tests that were created, AppScan 360° sends several malformed requests to the application to determine the manner in which it generates error responses. This information is then used to increase the precision of AppScan 360°'s automatic test validation process.

In a typical scan, the Explore stage to discover the application runs automatically. However, you can configure AppScan 360° to explore specific parts of the site, or to send requests in a specific order, using the Explore with guidance feature. See Explore with guidance.

Stage 2: Test

During the second stage, AppScan 360° sends the thousands of custom test requests it created during the Explore stage. It records and analyzes the application's response to each test using the custom validation rules. These rules both identify security problems within the application and also rank their level of security risk.

Scan phases

In practice, the Test stage often reveals new links within a application, and more potential security risks. Therefore, after completing the first phase of Explore and Test, AppScan 360° automatically begins a second phase to deal with the new information. If new links are discovered during the second phase, a third phase is run, and so on.

The discovery of new links in the Test stage, triggers a change in the number of expected tests shown during runtime. After completing the configured number of scan phases, scanning stops and the completed results are available to the user.

The default number of phases is four. This cannot be changed in AppScan 360°, but if a different number is configured in an uploaded configuration file (DAST.CONFIG)scan file (.scan) or scan template (.scant), that number of phases will be run.

Scan flow