DAST vs. Endpoint Detection and Response for Web Application Security

Last updated: March 20, 2024 Reading time: 6 minutes
DAST vs. Endpoint Detection and Response for Web Application Security

Web application security is becoming a critical part of cybersecurity operations. Web applications hold sensitive data and are often responsible for a significant part of an organization’s revenues. There are many security tools available to secure web applications—in this article, I’ll focus on two types of tools:

  • Dynamic Application Security Testing (DAST)—a black-box testing tool that can scan web applications at runtime to discover vulnerabilities.
  • Endpoint Detection and Response (EDR)—an agent that can be deployed on a web server and helps detect, block, and respond to successful cyber attacks against the server.

What is Dynamic Application Security Testing (DAST), and how does it work

Dynamic application security testing (DAST) tools analyze web apps in production and runtime, looking for security vulnerabilities and weaknesses. DAST is a black box test performed externally without access to the application’s source code or architecture. The test simulates an external attack to identify exploitable vulnerabilities and weaknesses.

DAST simulates actual attacks to test the app’s resiliency. For example, DAST can involve using injection techniques to inputting malicious software (malware) into the software to determine if the application is exposed to cross-site scripting (XSS) and SQL injection (SQLi) attacks. Here is how DAST usually works:

  • Continuous scanning—DAST scanners first crawl through a web app to locate all exposed input on pages and then test each page. 
  • Automated alerts—DAST tools automatically send alerts to the relevant personnel for quick remediation after detecting a vulnerability.

DAST can work continuously during development and after deployment. The process is fully automated to enable rapid identification. DAST tools enable proactive defense, helping prevent attacks before they occur. While most DAST tools test only exposed HTTP and HTML interfaces, some tools can test non-web protocols and data malformation.

What is Endpoint Detection and Response (EDR)

EDR solutions aggregate and analyze security-related data from multiple endpoints, such as computer workstations. EDR aims to facilitate quick detection and response to potential threats. The historical data collected by EDR tools can provide the context for proactive forensics and threat hunting, helping security teams and tools hunt for zero-day vulnerabilities and insider threats.

EDR capabilities vary significantly between vendors and implementations. However, most employ behavioral analysis to detect emerging threats and active attacks, such as malicious software (malware), ransomware, emerging exploit chains, and advanced persistent threats (APTs).

How EDR works

EDR platforms continuously ingest data from endpoints, including event logs and authentication attempts. The platform aggregates, correlates, and analyzes this data and initiates the appropriate response to detected threats. EDR solutions typically retain this data for future analysis and forensics. Here is how this process works:

  • Telemetry ingestion—EDR solutions continuously ingest telemetry data from endpoints. It typically involves installing a software agent on each endpoint, but some platforms may collect data indirectly.
  • Data collection—EDR solutions gather the ingested telemetry data from all endpoints in one central location. Most EDR vendors send this information to a cloud-based platform, but organizations that must meet compliance requirements can implement A hybrid cloud or on-premises deployment.
  • Data correlation—EDR solutions use machine learning to correlate and analyze massive amounts of telemetry data from multiple sources, including third-party security tools.
  • Data analysis—machine learning also helps EDR solutions identify patterns of normal behavior and use it as a baseline to detect abnormalities. Some solutions also compare these activities to real-world examples of cyberattacks provided by threat intelligence feeds.
  • Threat detection—EDR solutions flag activities suspected as potential threats and push alerts to relevant stakeholders, such as internal security personnel or external teams.
  • Threat response—EDR solutions include automation capabilities that can initiate actions to respond to threats. For example, a solution can automatically prevent the spread of malware by temporarily isolating the suspected endpoint from the rest of the network.
  • Data retention—EDR solutions retain data to ensure the system and its user remain informed. It provides the historical data to determine whether a new cyberattack resulted from a more extended breach or just emerged. It also helps facilitate proactive threat hunting.

While EDR products can vary significantly in terms of capabilities, many apply the above process in some form. 

DAST vs. EDR: How can they protect against OWASP’s top 10 vulnerabilities

DAST and EDR can help protect against web application attacks, exemplified by the OWASP Top 10 vulnerabilities. While DAST can directly scan for OWASP’s Top 10 weaknesses and suggest remediations but cannot prevent any of these attacks, EDR is deployed on the web server and can implement security controls that block several essential threat vectors.

The following table summarizes the OWASP Top 10 vulnerabilities and explains how each solution can help.

OWASP Top 10How DAST Can HelpHow EDR Can Help
A01:2021—Broken Access ControlScan web applications and web servers and identify missing authentication.Alerting security teams about suspicious access attempts to the web service endpoint.
A02:2021—Cryptographic Failures (data not encrypted at rest or in transit)Scanning web application communications and identifying HTTPS or other insecure protocols.Identifying unusual data movements on the endpoint that might indicate data exfiltration.
A03:2021—InjectionScanning web applications for all injection vulnerabilities—SQL injection, command injection, etc.If an injection attack leads to remote code execution on the web server, EDR can identify the suspicious process, block it and isolate the endpoint from the network.
A04:2021—Insecure DesignScanning web applications and servers to identify the lack of basic security controls.Typically, EDR is deployed with endpoint protection technology that provides advanced threat protection, even if the underlying web application does not have security controls.
A05:2021—Security MisconfigurationScanning web applications for misconfigurations like open ports, default admin passwords, and XML External Entities (XXE) vulnerabilities.Detecting and blocking exploitation of misconfigurations—for example, malicious traffic to open ports.
A06:2021—Vulnerable and Outdated ComponentsScan web applications and servers to determine if public-facing components are running old versions.Detecting and blocking exploitation of vulnerabilities—for example, if an attacker deploys malware via a known vulnerability, EDR can detect and block it.
A07:2021—Identification and Authentication Failures Scan web applications and web servers and identify weak authentication and default passwords.Enforcing authentication on the web server and alerting security teams about suspicious login attempts.
A08:2021—Software and Data Integrity Failures (supply chain attacks)DAST is typically not able to scan or detect this type of vulnerability.Detecting and blocking malware or other suspicious activity on an endpoint after a successful supply chain attack.
A09:2021—Security Logging and Monitoring FailuresDAST is typically not able to scan or detect this type of vulnerability.Provide detailed activity logs on a web service endpoint to enable forensic investigation.
A10:2021—Server-Side Request ForgeryScanning web applications and detecting vulnerabilities that can allow SSRF, such as web applications pulling data from a remote source specified by the user.Identifying and blocking malicious traffic due to a successful SSRF attack, such as HTTP redirections to malicious websites.

In conclusion, both DAST and EDR can be very important for your web servers and applications’ security. It is a best practice to deploy both of these and additional complementary security tools to protect mission-critical web servers in your organization.

Share this article

About the Author

Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in: Computer.org, Nordic APIs, Infosecinstitute.com, Tripwire.com, and VentureBeat.

More from Iam Waqas

Related Posts