DAST is the abbreviation of Dynamic Application Security Testing, that is, Dynamic Application Security Testing. It is a kind of application security testing, which corresponds to SAST and belongs to black box testing.
Advantages of DAST
Quickly discover those vulnerable vulnerabilities (XSS, SQL Injection, etc.)
No need to access source code
Disadvantages of DAST
Unable to pinpoint security vulnerabilities to lines of code
It takes a long time
The report needs to be interpreted with some safety expertise
Use of extreme fox GitLab DAST
Gartner released in late April AST Magic Quadrant in 2022, GitLab in Challenger quadrant:
Extreme fox GitLab is functionally greater than or equal to GitLab. DAST is also one of the important security functions in the extreme fox GitLab DevSecOps security system, which can help users build a dynamic security defense system. Moreover, with the update iteration of the version, the function is constantly enhanced.
Extreme fox GitLab DAST can be used as an independent tool for dynamic scanning of applications, or it can be embedded in CI/CD Pipeline to help users realize real devosecops.
Extreme fox GitLab can be regarded as a separate DAST tool to dynamically scan applications that are running. For example, start a jenkins instance with the following command:
$ docker run -d -p 8088:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home jenkins/jenkins:lts-jdk11
Use http://jenkins.example.com:8088 After logging in to Jenkins and confirming that the instance is running normally, you can use extreme fox GitLab to dynamically scan the Jenkins instance alone.
Create a Repo on geehu GitLab and add the following contents to the.gitlab-ci.yml file:
include: - template: DAST.gitlab-ci.yml stages: - test dast: stage: test variables: DAST_WEBSITE: "http://jenkins.example.com:8088" DAST_FULL_SCAN_ENABLED: "true" DAST_BROWSER_SCAN: "true" DAST_SKIP_TARGET_CHECK: "true"
You can trigger the CI/CD Pipeline to build and view the results (too long, only part is intercepted):
If it is the ultimate version, users can also see the complete vulnerability report in the security and compliance (security and compliance -- > vulnerability report):
Combined with CI/CD
DAST is an important security test means to realize DevSecOps. Embedding DAST into CI/CD can realize real "security automation". DAST is a dynamic test method, which needs to be placed after the application deployment is successful:
The job order in the extreme fox GitLab CI/CD is:
stages: - build - test - deploy - dast
The following is a Demo hosted on geehu GitLab SaaS to demonstrate the use of DAST in geehu GitLab CI/CD.
Jihu GitLab CI/CD code is as follows:
stages: - build - test - deploy - dast build: image: docker:20.10.7-dind stage: build tags: - devsecops script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - docker build -t $CI_REGISTRY_IMAGE:1.0.0 . - docker push $CI_REGISTRY_IMAGE:1.0.0 test: stage: test tags: - devsecops image: name: docker:20.10.7-dind script: - echo "go test" deploy: image: docker:20.10.7-dind tags: - devsecops stage: deploy script: - docker run -d -p 9998:9998 $CI_REGISTRY_IMAGE:1.0.0 include: - template: DAST.gitlab-ci.yml dast: stage: dast variables: DAST_WEBSITE: "http://your.application.real.url" DAST_FULL_SCAN_ENABLED: "true" DAST_BROWSER_SCAN: "true" DAST_SKIP_TARGET_CHECK: "true"
Trigger the CI/CD Pipeline build and view the build results:
If it is the ultimate version, users can also see the DAST results in MR:
It can be seen that there are two potential scanning vulnerabilities. In this case, the code can be merged only after the vulnerabilities are repaired. You can click the scanned vulnerabilities to create an issue for security problem tracking:
After the problem is fixed, the scanned CI/CD will be triggered again. After there is no security problem, the code can be merged and the corresponding issue can be closed.
For ultimate users, you can also view all DAST security vulnerabilities in the security dashboard to achieve a unified and transparent display of security vulnerabilities:
DAST needs to work with other security testing methods, such as SAST, key detection, and fuzzy testing, to build a complete DevSecOps system.