OpenText • Application security
OpenText Dynamic Application Security Testing carries the Fortify WebInspect engine, exercising running web applications, REST and GraphQL APIs, and mobile-app backends with authenticated session handling, OWASP Top 10 coverage, and source-correlation back to OpenText SAST.
A Merito OpenText DAST engagement points the WebInspect engine at the customer's actual runtime application surface, builds out authenticated session handling for SSO and OAuth flows, and routes findings into Core Application Security alongside the existing SAST and SCA backlog.
What it is
OpenText Dynamic Application Security Testing carries the Fortify WebInspect engine. WebInspect has been the regulated-industry DAST tool for two decades, with established case law in financial services, government, defense, and healthcare. The 2024-2025 rebrand is cosmetic at the engine level. Programs running WebInspect transition to OpenText DAST without re-authoring scans.
Authenticated scanning is the load-bearing capability. Most applications worth testing sit behind authentication, and DAST that cannot maintain session through SSO, multi-step login, or token refresh ends up scanning the public landing page and missing the application. WebInspect handles SAML, OAuth, OIDC, multi-factor flows, custom session protocols, and the long-tail authentication shapes regulated programs ship. Programs running unauthenticated DAST are not running DAST.
Source correlation back to SAST is the platform advantage. DAST findings cross-reference back to Fortify SAST findings on the same code path, so AppSec sees both the source-level vulnerability and the runtime confirmation in one ticket. Aviator AI augmentation extends across DAST and SAST findings together, proposing fixes grounded in the customer's actual codebase. Programs running DAST as a standalone tool against a different vendor's SAST get fragmented findings; programs running OpenText DAST inside Core Application Security get unified backlog math.
What kills DAST adoption is environment access. DAST needs a runnable application with realistic data, working authentication, and network reachability from the scanner. Programs that run DAST against an empty staging environment with a generic test account scan a hollow shell. Merito's engagement starts with environment readiness (test data, authentication wiring, scan-window scheduling) before pointing the scanner at anything real, and tunes the policy to the specific application surface rather than running default rules across web, API, and mobile as if they were the same.
Ideal use cases
What it is best at
20+ years of regulated DAST production. Established case law in financial services, government, defense, and healthcare. Programs that need a defensible DAST engine pick the lineage with the most operational history.
SAML, OAuth, OIDC, multi-factor, custom session protocols. Long-tail authentication shapes regulated programs ship. Tools that lose session after the first redirect end up testing nothing useful.
Same scanner covers web apps, REST and GraphQL APIs, and mobile-app backends. Programs stop stitching together specialist DAST tools per surface.
DAST findings cross-link to the Fortify SAST flow path that introduced them. AppSec sees source and runtime in one ticket inside Core Application Security.
Application Security Aviator proposes fixes grounded in DAST findings cross-correlated with SAST source paths.
Core capabilities
What separates DAST that finds real issues from DAST that scans the public landing page.
Authenticated session handling
SAML, OAuth 2.0, OIDC, multi-factor, and custom session protocols. The scanner stays logged in across multi-step flows.
OWASP Top 10 and beyond
Coverage of injection, broken auth, misconfiguration, sensitive data exposure, and the rest of the OWASP catalog. Plus business-logic flaws caught through guided exploration.
API scanning (REST, GraphQL, SOAP)
Imports OpenAPI, GraphQL schema, or Postman collections and tests every endpoint with realistic auth and payload.
Mobile DAST
Native iOS and Android app scanning plus the backend services they call.
Adapting the scanner to the customer's actual application surface.
Application-specific tuning
Scan policies tunable per application, with web, API, and mobile policies separated rather than blended into one default.
Crawling depth and scope
Configurable crawl depth, allow-and-deny lists, and parameter handling so the scan covers what matters.
Scan windows and rate limiting
Configurable scan windows, request rate, and concurrency so DAST does not knock production-shaped staging environments offline.
DAST output flowing into the AppSec backlog inside Core Application Security.
Source correlation with SAST
DAST findings cross-link to Fortify SAST flow paths and Core SCA dependencies inside Core Application Security.
Aviator AI augmentation
AI-augmented triage and fix suggestions grounded in DAST findings.
Build-gate and ticketing integration
DAST results gate the staging-to-prod promotion and flow into Jira, Azure Boards, and ServiceNow.
Compliance reporting
Audit-ready evidence for SOC 2, FedRAMP, HIPAA, PCI DSS, and ISO 27001 attestations.
Where it fits in the stack
Deployment and implementation
Licensing and packaging
Standalone Dynamic Application Security Testing
Standalone DAST license deployable as SaaS, on-prem, or BYOC.
Best for: Programs that need DAST without the rest of the Core Application Security bundle.
Inside Core Application Security
DAST as part of the SaaS-unified SAST + DAST + Core SCA bundle.
Best for: Programs running unified AppSec.
Government Cloud (FedRAMP)
FedRAMP-authorized DAST for federal customers.
Best for: Federal programs requiring FedRAMP-authorized AppSec.
Merito services
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
Tenant or environment setup, authenticated-scanning wiring, policy tuning per application, CI/CD integration.
Explore service02Fortify WebInspect to OpenText Dynamic Application Security Testing migrations, on-prem to SaaS modernization.
Explore service03AppSec program scoping for OpenText DAST adoption alongside Checkmarx DAST, StackHawk, and Bright.
Explore service04DAST scheduled and gated in Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket pipelines.
Explore service05Developer enablement and AppSec champion programs around DAST findings.
Explore service06Named engineer, priority SLAs, and release-time coverage for OpenText DAST.
Explore service07Long-term run support including authenticated-scan maintenance, scan-window operation, and policy evolution.
Explore service08Role-based training for AppSec architects, security engineers, and developers consuming DAST output.
Explore service09Merito-placed AppSec engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Dynamic Application Security Testing licensing
OpenText DAST pricing arrives with authenticated-session wiring, per-application policy tuning, scan-window scheduling, and CI/CD integration that turn 20 years of WebInspect engine depth into a working AppSec program.
Merito point of view
Merito has audited DAST programs that ran nightly against production-shaped staging, generated thousands of findings, and missed every business-logic flaw because the scanner lost session at the SSO redirect. Authenticated scanning is the difference between testing the application and testing the public landing page. WebInspect (now OpenText DAST) handles real session protocols across the long-tail authentication shapes regulated programs ship; programs that adopt DAST without configuring authentication correctly are doing compliance theater.
Merito recommends OpenText DAST specifically when the program is consolidating onto Core Application Security or already running OpenText AppSec, when source correlation with SAST matters, and when regulated DAST evidence (FedRAMP, HIPAA, PCI DSS) is a buying criterion. For programs picking developer-led cloud DAST without the rest of OpenText, StackHawk or Bright might fit better; Merito surfaces those alternatives honestly.
API DAST is where the program math changes. The API surface is usually the actual application; the web frontend is the easy half. Programs running DAST without API scanning are scanning the visible part and missing the structural risk. Merito's engagements include OpenAPI or GraphQL schema ingestion as a default.
What buyers usually underestimate
Related from Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Consultation request
Share your application surface (web, API, mobile), authentication shape, and current DAST tool if any. A Merito OpenText specialist follows up within one business day.
WebInspect lineage
20+ years of regulated DAST production. SAML, OAuth, OIDC, MFA, custom session protocols.
Source correlation
DAST findings cross-link to Fortify SAST flow paths inside Core Application Security.
Next step
A Merito OpenText DAST engagement starts with authentication wiring and per-application policy tuning. Default-rule scans against landing pages are not DAST.