Skip to main content Link Menu Expand (external link) Document Search Copy Copied
DevSecOps Guides

DAST

Table of contents

DAST stands for Dynamic Application Security Testing. It is a type of application security testing that involves testing an application in a running state to identify security vulnerabilities that may be present.

DAST tools work by interacting with an application in much the same way as a user would, by sending HTTP requests to the application and analyzing the responses that are received. This allows DAST tools to identify vulnerabilities that may be present in the application’s logic, configuration, or architecture.

Here are some key features of DAST:

  • Realistic testing: DAST provides a more realistic testing environment than SAST because it tests the application in a running state, simulating how an attacker would interact with it.

  • Automation: DAST tools can be automated to provide continuous testing, allowing for faster feedback on vulnerabilities.

  • Scalability: DAST tools can be scaled to test large and complex applications, making them suitable for enterprise-level testing.

  • Coverage: DAST tools can provide coverage for a wide range of security vulnerabilities, including those that may be difficult to detect through other forms of testing.

  • Ease of use: DAST tools are typically easy to use and require minimal setup, making them accessible to developers and security teams.

DAST ToolDescription
OWASP ZAPan open-source web application security scanner
Burp Suitea web application security testing toolkit

Assuming we have a web application that we want to test for security vulnerabilities using DAST, we can use OWASP ZAP, an open-source web application security scanner, in our pipeline.

1- First, we need to install OWASP ZAP and configure it with our web application. This can be done by running the following commands in the pipeline:

- name: Install OWASP ZAP
  run: |
    wget https://github.com/zaproxy/zaproxy/releases/download/v2.10.0/ZAP_2.10.0_Core.zip
    unzip ZAP_2.10.0_Core.zip -d zap
- name: Start OWASP ZAP
  run: |
    zap/zap.sh -daemon -host 127.0.0.1 -port 8080 -config api.disablekey=true
- name: Configure OWASP ZAP
  run: |
    zap/zap-cli.py -p 8080 open-url https://example.com

2- Next, we need to run the security scan using OWASP ZAP. This can be done by running the following command in the pipeline:

- name: Run OWASP ZAP scan
  run: |
    zap/zap-cli.py -p 8080 spider https://example.com
    zap/zap-cli.py -p 8080 active-scan https://example.com

This will start the OWASP ZAP spider to crawl the web application and then run an active scan to identify security vulnerabilities.

3- Finally, we need to generate a report of the security scan results. This can be done by running the following command in the pipeline:

- name: Generate OWASP ZAP report
  run: |
    zap/zap-cli.py -p 8080 report -o zap-report.html -f html

This will generate an HTML report of the security scan results that can be reviewed and acted upon.