The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Stage | Secure |
Maturity | Viable |
Content Last Reviewed | 2024-06-07 |
Thank you for visiting this category direction page on Dynamic Application Security Testing (DAST) at GitLab. This page belongs to the Dynamic Analysis group of the Secure stage and is maintained by Sara Meadzinger.
This direction page is a work in progress and everyone can contribute:
Dynamic application security testing (DAST) runs automated penetration tests to find vulnerabilities in your web applications as they are running. DAST automates a hacker’s approach, simulates real-world attacks, and can identify critical threats such as cross-site scripting, SQL injection, and cross-site request forgery. DAST is language-agnostic and examines your application from the outside in.
We recommend adding DAST to your software development security alongside other foundational application security testing such as secret detection, dependency scanning, static application security testing (SAST), container scanning, and API security testing. Including DAST in this defense-in-depth approach ensures that your team can identify and mitigate the runtime vulnerabilities and misconfigurations DAST detects that other security tools cannot detect. With a running application in a test environment, DAST scans can be automated in a CI/CD pipeline, automated on a schedule, or run independently by using on-demand scans.
DAST has historically been the domain of security teams, rather than developers. Many organizational security teams are small and are not integrated into development teams, so they lack the resources to test applications for vulnerabilities before releasing them to a production environment. Discovering vulnerabilities in production or late in the development process is expensive and creates unnecessary risk for both the organization and the users of the application. GitLab DAST is designed to be managed by developers and run against a pre-production staging server, mitigating the risk of releasing vulnerable software to production.
Our goal is to help customers reduce the security risks and compliance challenges they face while building and maintaining web applications. We do this by focusing on the earliest phases of the software development lifecycle (SDLC) and by striving to improve collaboration between security teams and developers.
In GitLab 17.0 we removed Proxy-based DAST which has been replaced with DAST (formerly named Browser-based DAST), a proprietary offering that provides full coverage for modern applications, including single-page web apps (SPAs).
Between 16.9-16.11, we completed a number of DAST Performance improvements, including:
See our prioritized roadmap here.
Over the next 3 months, we plan to:
With the remainder of the year, our focus is on:
Looking forward, we will continue to focus on features that enable customers to efficiently reduce risk. We want to ensure that it is easy to enable and run DAST scans, scan times are efficient, and security weaknesses identified via DAST are easy to prioritize and remediate. Future capabilities focus on reducing scan times, enabling greater flexibility with authentication, and providing better visibility into what has been scanned.
BIC (Best In Class) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.
For this product area, these are the capabilities a best-in-class solution should provide:
We have an advantage of being able to provide testing results before the app is deployed into the production environment, by using Review Apps. This means that we can provide DAST results for every single commit. The easy integration of DAST early in the SDLC is a unique position that GitLab has in the DAST market. Integrating other tools at this stage of the SDLC is typically difficult, at best.
The GitLab DAST features are all packaged as part of the GitLab Ultimate tier. This aligns with our pricing strategy as these features are relevant for executives who are concerned about keeping their organization secured from security weaknesses (CWEs).
DAST is not a standalone market evaluated by analysts, but is included in the analysis of DevSecOps and Application Security markets.