How DAST and Fuzzing Expose Real-World Vulnerabilities?

You’ve scanned your source code for vulnerabilities. You’ve practiced secure coding.

But can your code survive in the real world? Your code might work in a controlled environment, but it won’t always be in a controlled environment — it has to work in the real world too.

And in the real world, vulnerabilities aren’t always what you expect them to be. This is why dynamic testing, like DAST and fuzzing, is vital for a secure application.

Dynamic Application Security Testing, or DAST, is a security testing methodology that analyzes an application as it’s running. Unlike SAST (static application security testing), which analyzes the security of the source code, DAST doesn’t need access to the internal workings of an application. DAST testers take on the role of an external attacker, seeking vulnerabilities that a real threat actor would exploit, and simulating real-world attacks against the code.

By testing the application while it’s running, DAST catches issues that only appear when the application is actively processing inputs, like misconfigurations, broken authentication, or business logic flaws.

What is fuzzing?

Fuzzing is an automated testing technique that feeds unexpected inputs into a program to discover vulnerabilities, crashes, and other unexpected behaviors. It’s often used for security testing at the input-processing level and can be applied to software components like parsers, protocols, and APIs.

Fuzzing came into being in the 1980s, when Steve Capps repurposed a Macintosh demo tool to create random clicks and input from the keyboard to test MacWrite and MacPaint.

The term “fuzzing” was coined a few years later when Professor Barton Miller, inspired by the interference of a thunderstorm that crashed several applications, assigned his class to develop programs that would feed random unpredictable data to Unix applications. The goal of this assignment was to see if Unix programs could still run despite all the fuzz being thrown at them. Barton called the project “The Fuzz Generator.”

Is fuzzing the same thing as DAST?

While fuzzing and DAST are related, they are not the same. It’s more accurate to say that fuzzing falls under the DAST umbrella because it’s a dynamic way of testing code. Both test running code. Both are security-focused. Fuzzing can be part of a DAST strategy.  However, DAST describes a much broader approach to testing.

DAST can be seen as a category of testing that includes penetration testing as well as fuzzing. As a discipline, DAST platforms and testers have a different focus from fuzzers: they approach testing by trying to penetrate an application from the outside in. Generally DAST is used to test web applications, and focuses on web app security. 

Fuzzing, on the other hand, is concerned with making sure your application can handle the stress of weird and random inputs without crashing or entering an insecure state. For example, a deluge of random inputs can leave software in an unexpected state which could be exploited by threat actors. Fuzzing is used to validate inputs and make sure your code is robust. 

The world is a random and unexpected place. Your team can’t design secure code for situations or attacks they’ve never even considered. DAST and fuzzing gives your team a window into what could happen once your application’s been launched and meets an unexpected attack or input.

Fuzzing and DAST are capable of catching problems that might be missed by other testing, and once testing is set up, it can run automatically and continuously, catching issues and flagging them for your team.

Apona’s intelligent security tools let your team integrate fuzzing and DAST right into your CI/CD pipelines, speeding up testing, and ensuring your code is secure. Streamline your security testing with Apona today.