Day 26 of 60
·
Dynamic, fuzz & dynamic security
DAST (dynamic application security testing)
SAST shows you what the code might allow. DAST shows you what an attacker actually can. The gap between the two is where the breach lives.
ProblemVulnerabilities only visible at runtime, auth bypass, IDOR, broken access, server-side injection.
How it works
Crawl + attack the running application from the outside. Replay against staging or a hardened test env. Modern tools combine OpenAPI ingestion with intelligent fuzzing.
What it catches
Auth/authz flaws, IDOR, SSRF, runtime injection, insecure session handling. Catches what SAST can't see, actual exploitability.
Tools
OWASP ZAP · OSS Nuclei · OSS StackHawk · SaaS Burp Suite · SaaS
Verdict by project size
Small
Skip
Medium
Rec
Large
Must
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 4h | 1h | $0 | +5m |
| Medium 10–100k LOC | 2d | 5h | $200 | +10m |
| Large 100k–1M LOC | 8d | 20h | $1k | +20m |
| Extra-large >1M LOC | 25d | 80h | $10k | +30m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Test
Per merge · Runs after merge to main; nightly heavy jobs.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Developer
Reference implementations
-
OWASP ZAP baseline scan
Containerized DAST baseline scan suitable for CI pipelines.
-
OWASP ZAP automation framework
Declarative DAST jobs suitable for repeatable security validation.
-
Nuclei templates
Large maintained corpus of runtime vulnerability detection templates.
Quick check
DAST catches what SAST cannot?
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.