A penetration tester is assessing a customer-facing web portal. The tester has only limited knowledge of the internal source code but has access to an isolated staging environment where the portal runs with test accounts and realistic data. The goal is to uncover exploitable issues-such as input-validation errors, authentication bypasses, and business-logic flaws-that might remain invisible when merely scanning open-source libraries or reviewing code offline. Which vulnerability-discovery technique should the tester use to meet this objective most effectively?
Run static application security testing on the portal's source code repository.
Perform a software composition analysis to compare the portal's dependent libraries against known vulnerabilities.
Execute an unauthenticated TCP SYN scan against the server to map open ports and services.
Conduct dynamic application security testing against the running portal in the test environment.
Dynamic application security testing interacts with a fully running application, sending crafted requests and analyzing real responses. Because it observes runtime behavior, it can surface logic flaws, improper validation, and configuration weaknesses that static code reviews or library checks might overlook. Software composition analysis focuses on outdated or vulnerable dependencies, static application testing inspects source or binary files without execution, and a port scan only maps network services; none of those approaches reveal how the application actually behaves under attack.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DAST (Dynamic Application Security Testing)?
Open an interactive chat with Bash
How does DAST differ from SAST (Static Application Security Testing)?