Legacy DAST tools are not effective when it comes to testing JavaScript front ends and APIs. To achieve better testing and results, it is essential to drive the API directly using industry standards like postman collections, OpenAPI spec, GraphQL, and introspection queries. Testing the front end in cookie settings and DOM XSS can also uncover potential security bugs. Key features to look for in a dynamic app set testing tool include the ability to run anywhere, provide real test data, and run custom security tests. By focusing on these aspects, you can ensure faster and more accurate AppSec testing.
Are we even making simple requests to the API? Good old JavaScript front end. It depends. It depends on the browser or browser emulator the legacy DAST tool is using and how well it's driving. What elements it can see, what it can render. If you've built support into your JavaScript application front end for specific versions of specific browsers. Now you can think of this sort of like Selenium scripts. And in Selenium scripts, you write a specific test. I wanna go to this page and then I wanna click on this button and then this should show up, right? That kind of Selenium test.
DAST is like that, except for you're expecting it to find all of the possible user input paths by itself and do a good job. It's just not gonna happen. It doesn't work well. So how can we get back to better testing, better results, faster, more accurate scans, uncovering these application security bugs that are built into our JavaScript apps now? The key here is driving the API directly. Using industry standards like postman collections, OpenAPI spec, GraphQL, introspection queries, you can have direct access to the API, understand what it does and the data it's controlling and get fast, thorough tests. Nevermind if you're building an API that doesn't have a front-end at all. Mind blown. There's still good things to find in testing the front end in cookie settings and DOM XSS. Protecting all the data that you could end up potentially putting at risk is a better place to start.
What are some of the keys to look for in a dynamic app set testing tool that will help you test APIs directly? First of all, run anywhere. Should run in your CICD, should be able to run against production, but really importantly, should be able to run your local host as you're developing. Should be able to provide real test data, so in the screenshots that we've got over here, we've got the Faker library turned on so that Faker is providing data. We've actually typed in data for some values. Lots of different options to be able to say, hey, API, here's what real data looks like. Also use that with your security tests. Run custom tests for broken access control and insecure direct object access. These are two of the top 10 OWASP API security things, and they're hard to test for without knowledge about how the API works. As you're developing the API, you can write things like tenancy checks, can customer A see customer B's data. Look for stuff like, can a regular user get into the admin functions? Those are some of the really hard things to test for. Now you can write that test once and keep running it over and over and over again to make sure that the API stays secure. Like I said, you should be looking for something that's built to scan modern applications, including server side applications, single page apps, REST APIs, GraphQL APIs and SOAP APIs. All of this leads to faster AppSec testing, faster time to fix and faster getting back to your regular work of building value in the application they're building.
Comments