Home » Cyber Security » Network Security » DAST vs. Endpoint Detection and Response for Web Application Security

DAST vs. Endpoint Detection and Response for Web Application Security

Disclosure: All of our articles are unbased, well researched, and based on a true picture of the story. However we do sometimes get commissions from affiliate sites. Our readers get the best discount from buying from our links. Here is our complete affiliate disclosure.

Web application security is becoming a critical part of cybersecurity operations. Web applications hold sensitive data and are often responsible for a significant part of an organization’s revenues. There are many security tools available to secure web applications—in this article I’ll focus on two types of tools:

What is Dynamic Application Security Testing (DAST) and How Does it Work?

Dynamic application security testing (DAST) tools analyze web apps in production and runtime, looking for security vulnerabilities and weaknesses. DAST is a black box test performed externally without access to the application’s source code or architecture. The test simulates an external attack to identify exploitable vulnerabilities and weaknesses.

DAST simulates real attacks to test the app’s resiliency. For example, DAST can involve using injection techniques to inputting malicious software (malware) into the software to determine if the application is exposed to cross-site scripting (XSS) and SQL injection (SQLi) attacks. Here is how DAST usually works:

  • Continuous scanning—DAST scanners first crawl through a web app to locate all exposed input on pages and then test each page. 
  • Automated alerts—after detecting a vulnerability, DAST tools automatically send alerts to the relevant personnel for quick remediation.

DAST can work continuously during development and after deployment. The process is fully automated to enable rapid identification. DAST tools enable proactive defense, helping prevent attacks before they occur. While most DAST tools test only exposed HTTP and HTML interfaces, some tools can test non-web protocols and data malformation.

What is Endpoint Detection and Response (EDR)?

EDR solutions aggregate and analyze security-related data from multiple endpoints, such as computer workstations. EDR aims to facilitate quick detection and response to potential threats. The historical data collected by EDR tools can provide the needed context for proactive forensics and threat hunting, helping security teams and tools hunt for zero-day vulnerabilities and insider threats.

EDR capabilities vary greatly between vendors and implementations. However, the majority employ behavioral analysis to effectively detect emerging threats and active attacks, such as malicious software (malware), ransomware, emerging exploit chains, and advanced persistent threats (APTs).

How EDR Works

EDR platforms continuously ingest data from endpoints, including event logs and authentication attempts. The platform aggregates, correlates, and analyzes this data and initiates the appropriate response to detected threats. EDR solutions typically retain this data for future analysis and forensics. Here is how this process works:

  • Telemetry ingestion—EDR solutions continuously ingest telemetry data from endpoints. It typically involves installing a software agent on each endpoint, but some platforms may collect data indirectly.
  • Data collection—EDR solutions gather the ingested telemetry data from all endpoints in one central location. Most EDR vendors send this information to a cloud-based platform, but organizations that must meet compliance requirements can implement A hybrid cloud or on-premises deployment.
  • Data correlation—EDR solutions use machine learning to correlate and analyze the massive amounts of telemetry data from multiple sources, including third-party security tools.
  • Data analysis—machine learning also helps EDR solutions identify patterns of normal behavior and use it as a baseline to detect abnormalities. Some solutions also compare these activities to real-world examples of cyberattacks provided by threat intelligence feeds.
  • Threat detection—EDR solutions flag activities suspected as potential threats and push alerts to relevant stakeholders, such as internal security personnel or external teams.
  • Threat response—EDR solutions include automation capabilities that can initiate actions to respond to threats. For example, a solution can automatically prevent the spread of malware by temporarily isolating the suspected endpoint from the rest of the network.
  • Data retention—EDR solutions retain data to ensure the system and its user remain informed. It provides the historical data needed to determine whether a new cyberattack resulted from a longer breach or just emerged. It also helps facilitate proactive threat hunting.

While EDR products can vary greatly in terms of capabilities, many apply the above process in some form or another. 

DAST vs. EDR: How Can They Protect Against OWASP Top 10 Vulnerabilities?

Both DAST and EDR can help protect against web application attacks, exemplified by the OWASP Top 10 web application vulnerabilities. While DAST can directly scan for OWASP Top 10 weaknesses and suggest remediations, but cannot directly prevent any of these attacks, EDR is deployed on the webserver and can implement security controls that can block several important threats vectors.

The following table summarizes the OWASP Top 10 vulnerabilities and explains how each type of solution can help.

OWASP Top 10How DAST Can HelpHow EDR Can Help
A01:2021—Broken Access ControlScan web applications and web servers and identify missing authentication.Alerting security teams about suspicious access attempts to the web service endpoint.
A02:2021—Cryptographic Failures (data not encrypted at rest or in transit)Scanning web application communications and identifying the use of HTTPS or other insecure protocols.Identifying unusual data movements on the endpoint that might indicate data exfiltration.
A03:2021—InjectionScanning web applications for all types of injection vulnerabilities—SQL injection, command injection, etc.If an injection attack leads to remote code execution on the webserver, EDR can identify the suspicious process, block it and isolate the endpoint from the network.
A04:2021—Insecure DesignScanning web applications and web servers to identify the lack of basic security controls.Typically, EDR is deployed together with endpoint protection technology that provides advanced threat protection, even if the underlying web application does not have security controls.
A05:2021—Security MisconfigurationScanning web applications for misconfigurations like open ports, default admin passwords, and XML External Entities (XXE) vulnerabilities.Detecting and blocking exploitation of misconfigurations—for example, malicious traffic to open ports.
A06:2021—Vulnerable and Outdated ComponentsScan web applications and web servers to determine if public-facing components are running old versions.Detecting and blocking exploitation of vulnerabilities—for example, if an attacker deploys malware via a known vulnerability, EDR can detect and block it.
A07:2021—Identification and Authentication Failures Scan web applications and web servers and identify weak authentication and default passwords.Enforcing authentication on the webserver and alerting security teams about suspicious login attempts.
A08:2021—Software and Data Integrity Failures (supply chain attacks)DAST is typically not able to scan or detect this type of vulnerability.Detecting and blocking malware or other suspicious activity on an endpoint after a successful supply chain attack.
A09:2021—Security Logging and Monitoring FailuresDAST is typically not able to scan or detect this type of vulnerability.Providing detailed logs of activity on a web service endpoint to enable forensic investigation.
A10:2021—Server Side Request ForgeryScanning web applications and detecting vulnerabilities that can allow SSRF, such as web applications pulling data from a remote source specified by the user.Identifying and blocking malicious traffic as a result of a successful SSRF attack, such as HTTP redirections to malicious websites.

In conclusion, both DAST and EDR can be very important for the security of your web servers and web applications. It is a best practice to deploy both of these, and additional, complementary security tools, to protect mission-critical web servers in your organization.

Photo of author
Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in: Computer.org, Nordic APIs, Infosecinstitute.com, Tripwire.com, and VentureBeat.

Leave a Comment