Why DAST/IAST products are inadequate against finding API vulnerabilities

Why DAST/IAST products are inadequate against finding API vulnerabilities

Sep 18, 2024
appsentinels

During our various customer interactions, customers using Dynamic Application Security Testing (DAST) or Interactive Application Security Testing (IAST) often ask how AppSentinels solution is different compared to their existing tool:

The core difference is AppSentinels API Security Platform understands the context of the Application it is protecting while DAST/IAST products unfortunately don’t.

Let me explain why I am saying this and why this is important:

DAST products started appearing in the market around a decade+ ago to find vulnerabilities in web applications. They focussed on web attacks understanding that was existing then – OWASP Top-10 attacks. As there is no standard way to describe what a web application does and how to interact with it, DAST products comes packaged with a spider/crawler that scans through various URLs in the web-application. These products will then insert signatures/regex patterns of known attacks mostly OWASP TOP-10 attacks like SQLi, LFI/RFI, RCE and other in the discovered URL’s. While such an approach worked for web-applications, it falls flat with API based applications due to multiple reasons.

First, there’s no way one can discover API endpoints by crawling, thereby severely limiting efficiency of these tools in finding security issues in the application. To avoid this limitation, DAST tools started adding capability to inspect APIs using customer provided OpenAPI/Swagger schema. Relying on this approach for API security testing has serious limitations as majority of the