We are starting to see developer-driven DAST testing expand, extending the use of DAST beyond the hands of AppSec/QA and fully within the Dev CI/CD automation pipelines.
DAST is continuing to integrate earlier in the pipeline. Historically, the turnaround times of DAST scans have precluded their integration into stringent DevSecOps workflows. However, we are starting to see developer-driven DAST testing expand—extending the use of DAST beyond the hands of AppSec/QA and fully within the Dev CI/CD automation pipelines.
This enables DAST to be included in faster testing cycles. With automated security scans in the pipeline, it yields many benefits that lead to faster discovery and fixes:
- Developers are alerted to any new vulnerabilities before they hit production, optionally breaking the build to ensure that a review happens before the release.
- Testing can be run against underlying services and APIs instead of being limited to the customer-facing application, leading to faster identification of the underlying issue when a bug is found.
With DAST scans aligned with functional test scripts, only the portions of the application that are being worked on remain in the context of the code they were working on. Scans that run automatically and integrate with existing processes and tools keep security and development teams moving quickly. They remain focused on fixing critical issues, not scheduling scans. This approach typically yields better results than the recent increase in an IAST method. Passive IAST doesn't crawl the application and is dependent on the user creating functional testing scripts and manually exercising the application. DAST not only has these capabilities, but is also effective at discovering the attack surface of the application on its own.
This becomes a question of how much you trust QA to create a script for every scenario and code path. Unless they can cover those scenarios 100%, you will still need DAST to find all of the attack surface.
Testing earlier means organizations don’t need to re-orient their entire development process to a late-stage security gate as they did before. This allows for better scalability of DAST, which typically has been a major hurdle for security teams. Solutions that centralize the scanning are a key element of making DAST work at scale in DevSecOps pipelines.
A great way to set up DAST for both fast feedback and comprehensive scanning is:
- A great way to set up DAST for both fast feedback and comprehensive scanning is: For every check-in, run any functional tests through DAST. This enables developers to get quick feedback on their changes, in the same way as IAST.
- On nightly builds, run the more comprehensive scan that crawls the entire application, giving you full and complete coverage.