Dynamic application security testing (DAST) is a scanning/testing process in an operating state of an application or software product. That kind of research allows the industry to comply with industry requirements and to ensure general protection for emerging projects. You may refer in OWASP website regarding DAST tools.
What does it do?
· DAST tools allow for automated web applications analysis by checking all access points via the browser. The tools simulate malicious user behavior, and random behavior, such as e-mail validation, or entering a validation code for the SMS, can be completed with complex test case specified by the operator or interactions with third-party systems.
· In a web application that is in CI/CD pipeline, DAST tools continuously look at bugs, check for the faults attackers might seek to use and show how they could break through the device remotely.
· A DAST tool sends automatic warnings to the related teams to identify a flaw so that they can assess it and repair it. DAST tool can also create a report as an audit for security improvement.
· DAST detection tools are particularly helpful:
- Validation of input / output: (e.g. cross site and SQL scripting).
- Errors in server setup and configuration;
- Problems with authentication; other problems, that only occur when a known user logs in
What the benefit of SAST to the Business?
· DAST tools help organizations understand better how their web apps work and actively point out new and evolving vulnerabilities as they grow. Through using DAST in the software development lifecycle ( SDLC) to detect vulnerabilities sooner, businesses can reduce risk while saving time and money.
· Companies can also use DAST to facilitate compliance with PCIs and other forms of regulatory reporting. Some companies can use the OWASP Top 10 risk list as a benchmark for compliance with application security voluntarily
S.W.O.T analysis of DAST
Let's us what the Strengths, Weakness, Opportunities and Treats or SWOT analysis of DAST if we implement in our CI/CD pipeline;
Available Tools in the Market
Below some DAST tools available to use for Freemium/Free and Commercial/Paid version you can implement in your CI/CD Pipeline;
You should ensure to test it first before you actually implement DAST tool in your CI/CD pipeline to avoid unwanted error or mistake in your current CI/CD pipeline.
Best Practice for DAST
- Minimize CI/CD Pipeline. You need to ensure your CI/CD pipeline completed within 10-15mins otherwise your pipeline is not useful.
- Spidering. The value of DAST corresponds directly to the sum of spider you spider.
- Separate CI/CD Jobs. It would help if you separated all the stages and jobs for your CI/CD pipeline it’s easy for audit or troubleshooting process.
- Finalize the tool. Use a tool for static analysis that can perform code reviews in the programming languages that you use. The instrument should also be able to understand the software 's underlying framework.
- Customize the DAST tool. It would be best if you customized of fine-tuning your SAST tool where is needed to reduce the false-positive cases.
- DAST Tool API. Ensure the DAST tool selection has its API for scalability and automation.
- Everything as a Code. Try to automate every stage in your CI/CD pipeline.
- Document Everything. You should consider report all the steps taken and scanning result in your wiki page or knowledge-base page.
With that attacks on web applications, businesses are increasingly aware that web application protection should be prioritized in the CICD pipeline in the early stages. Through introducing web application scanners such DAST tools, they can considerably reduce their risks and help to keep their application secure from opportunistic attackers through the introduction of certain basic best practices for web application safety checks and vulnerability rehabilitation.
Next you should read
Tutorial2 -> How to implement DAST Zap Proxy in CI/CD Pipeline.
Interactive Application Security Test (IAST)