ABSTRACT
This chapter focuses on dynamic application security testing (DAST), along with some runtime security controls that serve as additional layers of Defense in Depth. DAST tools are a form of penetration testing or Black Box testing, in that testers don’t need to possess the knowledge about the application, its design, structure, or requirements. An emerging technology, Interactive Application Security Testing tools help with identifying and managing security risks of software vulnerabilities discovered in running Web applications using dynamic testing techniques. Some products integrate software composition analysis tools to address known vulnerabilities in open source components and frameworks. Runtime Application Self-Protection (RASP) builds security into a running application wherever it resides on a server, usually through agents. Both Web and non-Web apps may be protected by RASP. When an application begins to run, RASP can protect it from malicious input or behavior by analyzing both the app’s behavior and the context of that behavior.
