Dynamic Application Security Testing evaluates a running application from the outside to identify weaknesses that only appear under real execution conditions. It is useful for validating authentication, session handling, and API behaviour, especially where configuration and integrations change how the system actually responds to attack.
Expanded Definition
Dynamic Application Security Testing, or DAST, is a black-box testing method that probes a live application while it is running. In NHI-heavy environments, that means observing what an application actually allows through login flows, session handling, API calls, and privilege boundaries rather than what source code or configuration claims it should allow.
DAST sits alongside static analysis and interactive testing, but it answers a different question: how does the system behave in execution? That matters when an application depends on token exchange, delegated access, or agent-driven workflows, because those behaviours can vary with environment, identity provider configuration, and upstream integrations. Definitions vary across vendors on how much runtime context a DAST tool should collect, so no single standard governs this yet. For a governance baseline, many teams anchor the testing program to the NIST Cybersecurity Framework 2.0 and then map findings to application risk scenarios.
The most common misapplication is treating DAST as a one-time release gate, which occurs when teams run scans only against a stable pre-production build and assume the same findings apply after authentication, third-party OAuth changes, or agent permission updates.
Examples and Use Cases
Implementing DAST rigorously often introduces test-environment instability and false-positive tuning effort, requiring organisations to weigh runtime coverage against release speed and operational noise.
- A team tests whether a service account can access endpoints after an API gateway rewrite, then confirms whether the live authorisation path still blocks unauthorised requests.
- An operator validates session timeout and reauthentication behaviour after an identity provider change, because token lifetime settings can alter how long an NHI remains effective.
- Security engineers scan an agent-enabled application to see whether tool invocation endpoints expose unsafe methods that static analysis missed, a risk profile discussed in the OWASP Agentic Applications Top 10.
- A product team runs DAST before enabling a new integration to confirm that request validation, redirects, and error handling do not reveal sensitive behaviour to unauthenticated users.
- Developers compare DAST findings with secrets handling guidance because a live scan may expose misrouted credentials or broken access paths that complement the patterns described in The State of Secrets in AppSec.
DAST is most useful when the target system’s security posture depends on configuration, orchestration, or identity exchange at runtime rather than on code alone. Teams often combine it with authenticated testing so the scanner can evaluate roles, scoped permissions, and workflow-specific controls under real execution conditions.
Why It Matters in NHI Security
For Non-Human Identity security, DAST matters because many failures only appear when a running application is asked to prove who it trusts and what it allows. That includes overbroad API access, broken session invalidation, weak token validation, and agent paths that retain authority longer than intended. These are not theoretical weaknesses when service-to-service access is live; they become breach paths.
NHIMG research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% partial visibility in The State of Non-Human Identity Security. That visibility gap makes runtime testing especially important, because a configuration that looks correct on paper may still permit unintended access in production-like conditions. In practice, DAST helps validate whether privilege boundaries survive integration drift, identity provider changes, and release pressure.
After an incident, teams frequently discover that the application was never tested under the exact authentication state, API path, or agent permission model that attackers used, at which point DAST becomes operationally unavoidable to close the gap.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | DAST helps surface runtime auth and session failures tied to non-human identity misuse. |
| OWASP Agentic AI Top 10 | A-07 | Agent tool access and execution paths require runtime validation, not just code review. |
| NIST CSF 2.0 | PR.AC-3 | Runtime access validation supports protected access enforcement in deployed systems. |
Test live identity flows and API enforcement to confirm service identities cannot exceed intended privileges.
