Software Engineering Radio - the podcast for professional software developers avatar

Dexa/Software Engineering Radio - the podcast for professional software developers

Learn more
Published Jul 7, 2021

Episode-467-Kim-Carter-on-Dynamic-Application-Security-Testing

Kim Carter delves into the integration of dynamic application security testing within the software development lifecycle, focusing on the OWASP Purple Team project's role in improving code quality and defect detection. By emphasizing adaptable security tools, Carter highlights how these practices enable continuous security advancements and robust application protection.
Episode Highlights
Software Engineering Radio - the podcast for professional software developers logo

Topics covered

Popular Clips

Episode Highlights

  • Testing Methodology

    Dynamic Application Security Testing (DAST) offers a unique approach to security by simulating real-world attacks on applications without accessing the source code. explains that DAST operates from a black-box perspective, testing applications as an end user or attacker would, which contrasts with static analysis that examines code directly 1. This method is language-agnostic, making it versatile across different programming environments 2. Carter highlights that DAST complements other testing forms by uncovering both known and unknown defects, providing a more comprehensive security assessment 3.

    DAST is not just about finding known defects; it's about discovering unknown vulnerabilities that static analysis might miss.

    ---

    By integrating DAST with existing security measures, organizations can enhance their defense in depth strategy, ensuring a robust security posture.

       

    Testing Advantages

    The advantages of DAST are evident in its ability to detect vulnerabilities early, significantly reducing costs associated with late-stage defect fixes. notes that addressing defects during the development phase is far more cost-effective than post-release fixes, which can be exponentially more expensive 4. The Purple Team tool exemplifies this by mentoring developers, guiding them to identify and rectify defects as they code, thus shortening the feedback loop 5.

    Finding and fixing defects early is not just cheaper; it enhances the overall security posture by preventing trivial vulnerabilities from escalating.

    ---

    This proactive approach ensures that developers are continuously learning and improving their security practices, ultimately leading to more secure applications.

       

    Penetration Testing Comparison

    While DAST and penetration testing share similarities, they serve distinct roles in a comprehensive security strategy. emphasizes that DAST is automated and runs alongside development, catching defects as they are introduced, whereas penetration testing occurs later and often uncovers more complex vulnerabilities 6. Despite its cost, penetration testing remains crucial for identifying issues that automated tools might miss, ensuring a thorough security evaluation 7.

    Penetration testing is about finding the gnarly bugs that automated tools can't catch, elevating the security bar.

    ---

    By using both methods, organizations can ensure that both common and complex vulnerabilities are addressed, strengthening their overall security framework.

Related Episodes