DevSecOps | extreme fox GitLab dynamic application security test (DAST) user guide

DAST is the abbreviation of Dynamic Application Security Testing, that is, Dynamic Application Security Testing. It is a kind of application security testing, which corresponds to SAST and belongs to black box testing.

Advantages of DAST

  • Language independent

  • Quickly discover those vulnerable vulnerabilities (XSS, SQL Injection, etc.)

  • No need to access source code

Disadvantages of DAST

  • Unable to pinpoint security vulnerabilities to lines of code

  • It takes a long time

  • The report needs to be interpreted with some safety expertise

Use of extreme fox GitLab DAST

Gartner released in late April AST Magic Quadrant in 2022, GitLab in Challenger quadrant:

Extreme fox GitLab is functionally greater than or equal to GitLab. DAST is also one of the important security functions in the extreme fox GitLab DevSecOps security system, which can help users build a dynamic security defense system. Moreover, with the update iteration of the version, the function is constantly enhanced.

Extreme fox GitLab DAST can be used as an independent tool for dynamic scanning of applications, or it can be embedded in CI/CD Pipeline to help users realize real devosecops.

Use alone

Extreme fox GitLab can be regarded as a separate DAST tool to dynamically scan applications that are running. For example, start a jenkins instance with the following command:

$ docker run -d -p 8088:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home jenkins/jenkins:lts-jdk11

Use http://jenkins.example.com:8088 After logging in to Jenkins and confirming that the instance is running normally, you can use extreme fox GitLab to dynamically scan the Jenkins instance alone.

Create a Repo on geehu GitLab and add the following contents to the.gitlab-ci.yml file:

include:
  - template: DAST.gitlab-ci.yml

stages:  
  - test

dast:   
  stage: test
  variables:
    DAST_WEBSITE: "http://jenkins.example.com:8088"
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_BROWSER_SCAN: "true"
    DAST_SKIP_TARGET_CHECK: "true"

You can trigger the CI/CD Pipeline to build and view the results (too long, only part is intercepted):

 

If it is the ultimate version, users can also see the complete vulnerability report in the security and compliance (security and compliance -- > vulnerability report):

Combined with CI/CD

DAST is an important security test means to realize DevSecOps. Embedding DAST into CI/CD can realize real "security automation". DAST is a dynamic test method, which needs to be placed after the application deployment is successful:

The job order in the extreme fox GitLab CI/CD is:

stages:
  - build
  - test
  - deploy
  - dast

The following is a Demo hosted on geehu GitLab SaaS to demonstrate the use of DAST in geehu GitLab CI/CD.

Jihu GitLab CI/CD code is as follows:

stages:          
  - build
  - test
  - deploy
  - dast

build:
  image: docker:20.10.7-dind
  stage: build
  tags:
    - devsecops
  script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker build -t $CI_REGISTRY_IMAGE:1.0.0 .
    - docker push $CI_REGISTRY_IMAGE:1.0.0

test:
  stage: test
  tags:
    - devsecops
  image:
    name: docker:20.10.7-dind
  script:
     - echo "go test"


deploy:
  image: docker:20.10.7-dind
  tags:
    - devsecops
  stage: deploy
  script:
     - docker run -d -p 9998:9998 $CI_REGISTRY_IMAGE:1.0.0

include:
  - template: DAST.gitlab-ci.yml

dast:   
  stage: dast
  variables:
    DAST_WEBSITE: "http://your.application.real.url"
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_BROWSER_SCAN: "true"
    DAST_SKIP_TARGET_CHECK: "true"

Trigger the CI/CD Pipeline build and view the build results:

If it is the ultimate version, users can also see the DAST results in MR:

 

It can be seen that there are two potential scanning vulnerabilities. In this case, the code can be merged only after the vulnerabilities are repaired. You can click the scanned vulnerabilities to create an issue for security problem tracking:

 

After the problem is fixed, the scanned CI/CD will be triggered again. After there is no security problem, the code can be merged and the corresponding issue can be closed.

For ultimate users, you can also view all DAST security vulnerabilities in the security dashboard to achieve a unified and transparent display of security vulnerabilities:

 

DAST needs to work with other security testing methods, such as SAST, key detection, and fuzzy testing, to build a complete DevSecOps system.

For more information about devosecops, please click

Sensitive information detection of extreme fox GitLab DevSecOps

Image scanning of extreme fox GitLab DevSecOps

Fuzzy test of extreme fox GitLab DevSecOps

SAST of extreme fox GitLab DevSecOps

Dependency scanning for GitLab DevSecOps

Jihu GitLab DevSecOps IaC security scan

Tags: Operation & Maintenance GitLab jenkins DevOps

Posted by crackfox on Fri, 26 Aug 2022 02:00:31 +0300