Penetration Testing

GitHub DevSecOps Part 8: Dynamic Application Security Testing (DAST)

19 April 2023·6 mins

DevSecOps GitHub CI/CD DevOps DAST Dynamic Application Security Testing Penetration Testing OWASP ZAP GitHub Actions

After seven sessions of static analysis — SCA, license compliance, SAST, container scanning, secret detection — Patrick Steger and I move into the dynamic side of the pipeline. In Part 8 we add Dynamic Application Security Testing to our GitHub Actions pipeline. DAST runs the application and then attacks it. GitHub does not ship this out of the box, so we wire in a community action built on OWASP ZAP — and we are honest about where that approach falls short for enterprise use.

GitLab DevSecOps Part 8: Dynamic Application Security Testing (DAST)

5 October 2022·5 mins

DevSecOps GitLab CI/CD DevOps DAST Dynamic Application Security Testing Penetration Testing OWASP ZAP Shift Left

Everything we have done in the GitLab DevSecOps pipeline so far has been static — analysis of source code, dependencies, containers and configuration. In Part 8, Patrick Steger and I cross the line into Continuous Delivery and add Dynamic Application Security Testing. DAST means we deploy the application, start it, and then attack it from the outside with an automated penetration testing tool. GitLab ships this capability out of the box, powered by OWASP ZAP.

↑