| Stage | Secure |
| Maturity | Viable |
| Content Last Reviewed | 2020-12-07 |
Thank you for visiting this category direction page on Dynamic Application Security Testing (DAST) at GitLab. This page belongs to the Dynamic Analysis group of the Secure stage and is maintained by Derek Ferguson (dferguson@gitlab.com).
This direction page is a work in progress and everyone can contribute:
Dynamic application security testing (DAST) is a process of testing an application or software product in an operating state.
When an application has been deployed and started, DAST connects to the published service via its standard web port and performs a scan of the entire application. It can enumerate pages and verify if well-known attack techniques, like cross-site scripts or SQL injections are possible. DAST will also scan REST APIs using an OpenAPI specification as a guide for testing the API endpoints.
DAST doesn't need to be language specific, since the tool emulates a web client interacting with the application, as an end user would.
As DAST has historically been the domain of security teams, rather than developers, testing the application in its running state has often been overlooked during the development process. Since this type of testing requires an application to be deployed, the attack surface of the running application is usually not evaluated until the application has finished the development cycle and is deployed to a staging server (or worse, to production!). Testing this late in the SDLC means that developers have little to no time to respond to any vulnerabilities are found and trade-offs must be made between fixing vulnerabilities and releasing on time. This can lead to vulnerabilities being released into production either as a calculated risk or with no knowledge of the vulnerability at all.
We see the area of dynamic application security testing as an ideal collaboration point between established security teams and developers, leading to finding and fixing vulnerabilities earlier in the SDLC and reducing the number of vulnerabilities released to production. By integrating DAST into their pipelines and utilizing review apps, developers can be more conscious of the security impacts their code has on the running application. This awareness can enable them to take initiative and fix these before merging their features into the default branch. For the security team member, being able to create issues for any vulnerability found earlier in the SDLC (either by reviewing pipeline results or running on-demand scans) allows them to take a proactive approach to security, rather than reactive. All of this allows these teams to work together to reduce the overall risk of deploying new code to a production application.
Our goal is to provide DAST as part of the standard development process. This means that DAST is executed every time a new commit is pushed to a branch. We also include DAST as part of Auto DevOps.
Since DAST requires a running application, we can provide results for feature branches leveraging Review Apps, temporary environments that run the modified version of the application. We can also provide results for applications running on other servers, such as staging or development environments, either through a CI/CD pipeline scan or a manually triggered on-demand scan.
DAST results can be consumed in the merge request, where new vulnerabilities are shown. A full report is available in the pipeline details page.
DAST results are also a part of the Security Dashboard, where Security Teams can check the security status of their projects.
We also want to ensure that the production environment is always secure, by running an on-demand DAST scan on the deployed app even if there is no change in the code. On-demand scans will allow for out-of-band security testing and issue reproduction, without needing any code changes or merge requests to start a scan.
Now that the on-demand scan MVC has shipped, we want to improve the DAST configuration process by adding more options for configuration and moving most configuration to the GitLab UI, leading to a GA of on-demand DAST scans in 13.7. There are several initiatives in process to enable this by improving the backend configuration and adding the UI configuration options. The UI configuration options will be available as profiles that can be mixed and matched to make it easier to run different types of DAST scans against a single project. Providing the configurations as profiles will make it easy for a single project to have both targeted and full scans, API and site scans, and passive and active scans all available to run with a couple of clicks.
In addition to using profiles to quickly configure scans, we will also be enabling users to save their on-demand scans so commonly run scans can be initiated with a single click. Adding onto the saved scans, we will also give users the ability to associate their scans with branches other than the default branch. Since the default branch is typically a protected branch and not every developer or security team member has authorization to run scans on it, being able to select which branch to associate the scans results with will allow for a wider range of users to leverage on-demand scans.
As the on-demand scans feature is finished, along with the DAST profiles, we will shift our attention to increasing the depth of the DAST scans and the usability of the on-demand scans and profiles. Working to make the dashboard and vulnerability reports more usable, we will begin to aggregate vulnerabilities that are reported on multiple URLs into a single vulnerability. This will greatly reduce the number of vulnerabilities reported by DAST scans and make it much easier to find and fix issues that are found. Looking at increasing the depth of the DAST scans, we will begin to integrate two new scanners into the DAST analyzer. These new scanners will enable DAST to better scan modern single page applications and APIs other than REST, such as GraphQL and SOAP. For the focus on usability of on-demand scans and profiles, we will be working on adding the ability to use the DAST profiles in the CI/CD pipeline scans and creating a scheduler for on-demand scans.
We have an advantage of being able to provide testing results before the app is deployed into the production environment, by using Review Apps. This means that we can provide DAST results for every single commit. The easy integration of DAST early in the software development life cycle is a unique position that GitLab has in the DAST market. Integrating other tools at this stage of the SDLC is typically difficult, at best.
We want to engage analysts to make them aware of the security features already available in GitLab. They also perform analysis of vendors in the space and have an eye on the future. We will blend analyst insights with what we hear from our customers, prospects, and the larger market as a whole to ensure we’re adapting as the landscape evolves.
