About dynamic analysis (DAST)

An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.

Stage1: Explore

The Explore stage can be run automatically as part of an automatic scan, or manually by the user, or a combination of both.

During the first stage, and starting from the URL you configure, AppScan on Cloud crawls your application by simulating a web user clicking on links and completing form fields, building an understanding of the application's structure.

ASoC analyzes the responses to each Explore request, looking for any indication of a potential vulnerability. When ASoC receives a response that may indicate a security vulnerability, it creates one or more tests based on the response, as well as noting the validation rules needed to determine which results constitute vulnerability, and the level of security risk involved.

Before sending the site-specific tests that were created, ASoC sends several malformed requests to the application to determine the manner in which it generates error responses. This information is then used to increase the precision of ASoC's automatic test validation process.

In a typical scan, the Explore stage to discover the application runs automatically. However, you can configure ASoC to explore specific parts of the site, or to send requests in a specific order, using the Explore with guidance feature. See Explore with guidance.

Stage 2: Test

During the second stage, ASoC sends the thousands of custom test requests it created during the Explore stage. It records and analyzes the application's response to each test using the custom validation rules. These rules both identify security problems within the application and also rank their level of security risk.

Scan phases

In practice, the Test stage often reveals new links within a application, and more potential security risks. Therefore, after completing the first phase of Explore and Test, ASoC automatically begins a second phase to deal with the new information. If new links are discovered during the second phase, a third phase is run, and so on.

The discovery of new links in the Test stage, triggers a change in the number of expected tests shown during runtime. After completing the configured number of scan phases, scanning stops and the completed results are available to the user.

The default number of phases is four. This cannot be changed in ASoC, but if a different number is configured in an uploaded configuration file (DAST.CONFIG), that number of phases will be run.

Scan flow