Integration of DAST testing into secure web application development
Article Sidebar
Main Article Content
Abstract
A series of runtime security assessments were conducted on institutional web applications by simulating real-world attacks using Dynamic Application Security Testing. The objective was to identify vulnerabilities during the testing phase of the Software Development Life Cycle, prior to implementation and security audits. To this end, a controlled testing environment was designed, and the specialized Open Web Application Security Project Zed Attack Proxy tool was selected and configured. Automated and manual scans were performed to detect common vulnerabilities, such as cross-site scripting and insecure configurations. During the tests, significant findings were identified, primarily related to errors in input validation and default configurations. The results were compared with current web security standards, enabling the establishment of appropriate mitigation and prevention measures. Overall, the integration of Dynamic Application Security Testing during the Software Development Life Cycle testing phase strengthened the ongoing security assurance of the evaluated systems by identifying runtime vulnerabilities before their deployment in production environments.
Downloads
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Este trabajo tiene la licencia CC BY-NC-ND 4.0
References
Abdulghaffar, K., Elmrabit, N., & Yousefi, M. (2023). Enhancing web application security through automated penetration testing with multiple vulnerability scanners. Computers, 12(11), 235. https://www.mdpi.com/2073-431X/12/11/235 DOI: https://doi.org/10.3390/computers12110235
Aydos, M., & Baykara, M. (2022). Security testing of web applications: A systematic mapping. Journal of Information Security and Applications, 63, 103005. https://www.sciencedirect.com/science/article/pii/S131915782100269X?via%3Dihub
Chorell, I., & Ekberg, C. (2024). A comparative analysis of open source dynamic application security testing tools [Tesis de maestría, Linköping University, Departamento de Ciencias de la Computación e Información]. Linköping University.
https://www.diva-portal.org/smash/get/diva2:1868722/FULLTEXT01.pdf
Dencheva, L. (2022). Comparative analysis of static application security testing (SAST) and dynamic application security testing (DAST).
https://norma.ncirl.ie/5956/1/lyubkadencheva.pdf
International Organization for Standardization. (2018). Information technology — Security techniques — Application security — Part 3: Application security management process (ISO/IEC Standard No. 27034-3:2018). https://www.iso.org/standard/55583.html
International Organization for Standardization. (2022). ISO/IEC 27001:2022 Information technology—Security techniques—Information security management systems—Requirements. ISO. – Requirements. ISO.
https://www.iso.org/standard/27001
Jennings, T. (2025, 5 de mayo). Dynamic Application Security Testing: DAST Basics. Mend.io. https://www.mend.io/blog/dast-dynamic-application-security-testing/
Koman, J., & Janiszewski, M. (2025). SCAnME – scanner comparative analysis and metrics for evaluation. International Journal of Information Security, 24, Article 147. https://doi.org/10.1007/s10207-025-01054-8 DOI: https://doi.org/10.1007/s10207-025-01054-8
Kondraciuk, A., Bartos, A., & Pańczyk, B. (2022). Comparative analysis of the effectiveness of OWASP ZAP, Burp Suite, Nikto and Skipfish in testing the security of web applications. Journal of Computer Sciences Institute, 24, 176-180.
https://doi.org/10.35784/jcsi.2929 DOI: https://doi.org/10.35784/jcsi.2929
National Institute of Standards and Technology. (2020). Security and privacy controls for information systems and organizations (NIST Special Publication 800-53, Revision 5). https://doi.org/10.6028/NIST.SP.800-53r5 DOI: https://doi.org/10.6028/NIST.SP.800-53r5
National Institute of Standards and Technology. (2022). Secure software development framework (SSDF) version 1.1: Recommendations for mitigating the risk of software vulnerabilities (NIST Special Publication 800-218). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-218 DOI: https://doi.org/10.6028/NIST.SP.800-218
OWASP Foundation. (2021). OWASP Top Ten:2021. https://owasp.org/Top10/
OWASP Foundation. (2023). Application Security Verification Standard (ASVS) v4.0.3. https://owasp.org/ASVS/
OWASP Foundation. (2023a). OWASP Zed Attack Proxy (ZAP). https://www.zaproxy.org/
OWASP Foundation. (2023b). OWASP Risk Rating Methodology. OWASP Foundation. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
Putra, F. P. E., Ubaidi, U., Hamzah, A., Pramadi, W. A., & Nuraini, A. (2024). Systematic Literature Review: Security Gap Detection On Websites Using OWASP ZAP. Brilliance: Research of Artificial Intelligence, 4(1), 348-355.
https://doi.org/10.47709/brilliance.v4i1.4227 DOI: https://doi.org/10.47709/brilliance.v4i1.4227
Qadir, S., Waheed, E., Khanum, A., & Jehan, S. (2025). Comparative evaluation of approaches & tools for effective security testing of Web applications. PeerJ Computer Science, 11, e2821. https://doi.org/10.7717/peerj-cs.2821 DOI: https://doi.org/10.7717/peerj-cs.2821