DAST
Definition
Dynamic Application Security Testing (DAST) is a security testing methodology that analyzes web applications in their running state to identify vulnerabilities. Unlike static analysis, DAST does not require access to the source code; instead, it simulates external attacks to find security weaknesses such as SQL injection, cross-site scripting (XSS), and other exploitable vulnerabilities. It is typically used during the testing phase of the software development lifecycle to ensure applications are secure before deployment.
Secure Settings Example
# Example DAST configuration for a CI/CD pipeline
dast:
enabled: true
scan_profile: "full_scan"
authentication:
type: "form"
username: "test_user"
password: "secure_password"
target:
url: "https://example.com"
reporting:
format: "json"
output: "dast_report.json"
thresholds:
high: 0
medium: 5
low: 10
Insecure Settings Example
# Example of insecure DAST configuration
dast:
enabled: true
scan_profile: "quick_scan"
authentication:
type: "none" # No authentication, potentially missing vulnerabilities
target:
url: "http://example.com" # Using HTTP instead of HTTPS
reporting:
format: "html" # Less secure and harder to automate
thresholds:
high: 10 # Allowing too many high-severity vulnerabilities
medium: 20
low: 50