Dynamic Application Security Testing (DAST)

Exercise the running application like an external attacker—find what scanners in the repo cannot see.

How DAST works

DAST sends real HTTP(S) requests to a deployed environment (often staging). It crawls or uses OpenAPI specs to discover routes, injects payloads, and observes responses, status codes, timing, and DOM changes. It excels at misconfigurations, exposed debug endpoints, auth/session flaws visible only at runtime, and some classes of injection when the app is live.

OWASP ZAP deep dive

OWASP ZAP (OWASP Zed Attack Proxy) is a free, community DAST proxy and scanner.

Spider / AJAX spider: discover links and client-side routes.
Active scan: attack mode—use only on authorized targets.
Contexts & users: scripted login flows for authenticated scans.
Automation framework: YAML-driven jobs for CI (baseline vs full).
Add-ons: GraphQL, SOAP, JWT, custom scripts.

Warning Authenticated scans can destroy data—use disposable data sets and read-only test tenants.

When to use DAST

After deploy to a staging stack that mirrors production config.
On a schedule (nightly/weekly) plus before major releases.
When API surface is defined by OpenAPI—speeds up coverage.

Features to look for

Capability	Benefit
OpenAPI import	Route coverage without fragile crawling
Auth scripting	Test behind login
Baseline mode	Fail build only on new alerts
CI-friendly exit codes	Gate pipelines deterministically

Tools comparison

Tool	Strength	Trade-off
OWASP ZAP	Open source, automation, huge community	Tuning needed for low noise
Burp Suite	Manual + pro scanner, great for testers	Pro is commercial
Commercial DAST clouds	Managed infra, compliance reports	Cost, less customization

Pros

Sees real WAF, headers, TLS, and routing behavior
No access to source required
Catches deployment-only mistakes

Cons

Slower than SAST; needs running env
Route coverage gaps without specs or crawl
False negatives on hidden business-logic flaws

Example: ZAP baseline in GitHub Actions

jobs:
  zap-baseline:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.12.0
        with:
          target: 'https://staging.example.internal'
          rules_file_name: '.zap/rules.tsv'
          fail_action: true

Replace target with your authorized staging URL; add authentication hooks as needed for your app.