Dynamic Application Security Testing (DAST) tests running application instances for vulnerabilities by sending requests and analysing responses. Unlike SAST, which examines source code, DAST exercises the deployed application and can detect vulnerabilities that arise from configuration, deployment, or runtime behaviour.
DAST scans should cover all internet-facing endpoints (inference API, human oversight interface) and internal endpoints (administrative interfaces, inter-service APIs). OWASP ZAP provides open-source DAST capability. The DAST scan is integrated into the deployment pipeline, running against the staging environment before production deployment.
DAST findings are prioritised by CVSS score and tracked in the vulnerability management register with the same remediation SLAs as other vulnerability findings. The scan configuration should be tuned to the AI system’s specific endpoints and traffic patterns to minimise false positives. DAST results are retained as Module 9 evidence.
Key outputs
- DAST scanning of all internet-facing and internal endpoints
- CI/CD integration running against the staging environment
- Findings tracked in the vulnerability management register
- Module 9 AISDP evidence