Application Security Testing (SAST, DAST, and Recon)
Just like we have Auto Code Quality we should add Auto SAST and Auto DAST to Auto DevOps. Both use open source scanners with signatures to find vulnerabilities. Static Application Security Testing (SAST) finds them in the code. Dynamic Application Security Testing (DAST) finds it in a running review app. DAST can also be run against external targets by security researchers who self-host GitLab.
As a next iteration we can assess the signal to noise (false positives) of the different signatures based on if people create an issue or dismiss the signal. We can also add a GitLab Recon functionality (gitlab-ce#40119) to find new hosts to scan based on the top-level domain name. This is based on DNSDB data of queries people made so it works without needed access to DNS zone files.
- Security development lifecycle https://www.microsoft.com/en-us/sdl/default.aspx
- Fuzz testing https://en.wikipedia.org/wiki/Fuzzing
- DAST Only DAST can be used against external targets
- UVM Unified Vulnerability Management => testing version instead of vulnerability
- PEN Penetration testing, similar to DAST
- Network security => preventing access, outdated
- GitLab CI functions like a C&C server for the tests.
- Static Application Security Testing (SAST)
Next 3-6 Months
- Dynamic Application Security Testing (DAST): #3956
Next 6-12 Months
- GitLab Recon: gitlab-ce#40119
Related/To be planned
- Common metric format => Shared between code quality, SAST, DAST, load testic
- EEP Enterprise Dashboard
- Signal to noise ratio
- Use against external targets
- Add DNS DB
- Constant Deployment #3363
- OpenVAS https://gitlab.com/gitlab-com/infrastructure/issues/2483