From Development to Delivery: The Indispensable Role of DAST in Modern DevSecOps Practices.

Rui Pedro Moreira
3 min readFeb 4, 2024

--

Dynamic Application Security Testing (DAST) stands as a critical component in the realm of application security, primarily due to its unique approach in testing.

By executing the application in its live, running state, DAST offers an external perspective akin to that of an end-user. This contrasts sharply with Static Application Security Testing (SAST), which examines source code without executing the application.
The key strength of DAST lies in its ability to identify potential security vulnerabilities that might remain undetected by SAST.

Beyond Static Analysis: The Critical Role of DAST in Preventing Costly Security Breaches.

DAST’s methodology entails examining the application during its operational phase, requiring it to be fully compiled and running.
This process, albeit more time-consuming than SAST, is crucial for a thorough examination. By mimicking an end-user’s interaction with the application, DAST can uncover vulnerabilities that only manifest during actual use, offering insights that static analysis methods might miss.

Incorporating DAST into your Continuous Integration/Continuous Deployment (CI/CD) workflow can result in considerable financial benefits for your company. By detecting and remedying security flaws at an early stage within the development cycle, you minimize the risk of costly security incidents and data breaches.

Examining an application from an external point of view similar to that of a potential hacker, tends to generate fewer false alarms compared to SAST. This reduction in false positives can significantly decrease the amount of time spent analyzing scan outcomes. Additionally, this approach enables the identification of security weaknesses that might have remained undetected with other methods.

Exploring DAST tools:

The market offers a diverse range of DAST tools, each with unique features and capabilities. Choose a DAST tool that complements your application’s technology stack. It’s essential that the tool accommodates current technologies such as containerization, APIs, and microservices architecture.

This versatility is crucial in today’s multi-lingual development environments. Some prominent tools include:

How to integrate DAST into your CI/CD.

How to integrate OWASP ZAP with GitHub Actions:
(Copy the code below and paste it to the editor of the workflow.)

name: "Secure Pipeline - OWASP Zap"
on: ["push","pull_request"]
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan ZAP website
steps:
- name: OWASP ZAP
uses: zaproxy/action-baseline@v0.4.0
with:
# Target URL
target: "https://target.com/"
fail_action: false
token: $
issue_title: Security Tests

How to integrate Probely with GitHub Actions:
(Copy the code below and paste it to the editor of the workflow.)

name: "Scan a target with Probely"
on:
# Runs on pushes targeting the default branch
push:
branches: ["main"]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Scan with Probely
id: probely-scan
uses: Probely/probely-github-action@main
with:
api-key: ${{ secrets.PROBELY_API_KEY }}
target-id: "<TARGET_ID>"
region: "eu"

How to integrate Dastardly with GitHub Actions:
(Copy the code below and paste it to the editor of the workflow.)

name: "Secure Pipeline Test - Dast"
on: ["push","pull_request"]
jobs:
dastchecktest:
runs-on: ubuntu-latest
steps:
- name: Run Dastardly Action Step
continue-on-error: true # This allows subsequent steps to run even if this step fails
uses: PortSwigger/dastardly-github-action@main
with:
target-url: 'https://target.com'
- name: Upload Test results
if: always()
uses: mikepenz/action-junit-report@v3
with:
name: dast report
path: ${{github.workspace}}/reports
require_tests: true

Conclusion

As we navigate through the complexities of modern application development, the role of Dynamic Application Security Testing (DAST) cannot be overstated. DAST stands out as a pivotal element in the cybersecurity framework, offering a unique, external viewpoint that closely mirrors the perspective of an end-user and, potentially, that of an attacker.
This efficiency in detecting genuine vulnerabilities translates into considerable time savings during the review process and enhances the security posture of applications.

In resume, the adoption of DAST not only fortifies applications against external threats but also promote a culture of security within organizations. It underscores the commitment to delivering not just functional, but secure software products, ensuring trust and reliability in an increasingly digital world.

--

--