Agree! We need more screen time from Rick!

We are glad you found it useful. Thank you for the suggestion and we will aim to create a video on that topic in the future

It is definitely a good idea, and they are just as at risk as any app for vulns, especially environmental and configuration vulns. Thanks for your question!

Hi Chacko, DAST is important to identify issues in a running application that sometimes cannot be identified by other AST techniques. DAST can also confirm the exploitation of know vulnerabilities identified earlier in the SDLC. Running DAST scans early and often, shifting the scanning process as left as possible scanning from Dev all the way to the Production environment will increase the visibility for dangerous problems that can occur in your applications. Also, there is a misconception that a service running behind a WAF is safe by nature, which is not true. A common issue with WAFs are obfuscated attacks, that can circumvent the rules your WAF solution have in place. Fortify WebInspect (DAST) allows an automated creation of a set of WAF rules that can be applied to your WAF product, expediting the WAF staging process and helping to reduce the opportunity for obfuscated attacks. Similarly, WebInspect supports different sets of configurations that can make it suitable for the different SDLC phases you have, like (but not limited to) reducing the number of actives threads used for scanning, the custom cookies it inserts during the scanning process and the rules/checking coverage used for the test.

Ideally...you wouldn't skip DAST.

Just to clarify, are asking about choosing between SAST and DAST if you can only do one?

If you're asking which is better between SAST and DAST, that's a tough question to answer. There is no clear winner between the two. We encourage customers to do both to ensure they get comprehensive application security testing.

Both are needed