Application Security Testing (SAST, DAST)

Summary

Just like we have Auto Code Quality we should add Auto SAST and Auto DAST to Auto DevOps. Both use open source scanners with signatures to find vulnerabilities. Static Application Security Testing (SAST) finds them in the code. Dynamic Application Security Testing (DAST) finds it in a running review app. DAST can also be run against external targets by security researchers who self-host GitLab.

As a next iteration we can assess the signal to noise (false positives) of the different signatures based on if people create an issue or dismiss the signal. We can also add a GitLab Recon functionality (https://gitlab.com/gitlab-org/gitlab-ce/issues/40119) to find new hosts to scan based on the top-level domain name. This is based on DNSDB data of queries people made so it works without needed access to DNS zone files.

Concepts

1. Security development lifecycle https://www.microsoft.com/en-us/sdl/default.aspx
2. Fuzz testing https://en.wikipedia.org/wiki/Fuzzing
3. DAST Only DAST can be used against external targets
4. SAST
5. UVM Unified Vulnerability Management => testing version instead of vulnerability
6. PEN Penetration testing, similar to DAST
7. Network security => preventing access, outdated
8. GitLab CI functions like a C&C server for the tests.

Timeline

10.3 -

• Auto SAST: https://gitlab.com/gitlab-org/gitlab-ee/issues/3723
• Show SAST results in MR widget: https://gitlab.com/gitlab-org/gitlab-ee/issues/3775
• Sort security vulnerabilities by priority in MR widget: https://gitlab.com/gitlab-org/gitlab-ee/issues/3961
• Add SAST in Auto DevOps documentation: https://gitlab.com/gitlab-org/gitlab-ee/issues/4125

10.4 -

• Security Scanning in Registry: https://gitlab.com/gitlab-org/gitlab-ee/issues/3724
• Show results from docker image scan in the merge request widget: https://gitlab.com/gitlab-org/gitlab-ee/issues/4249
• Dynamic Application Security Testing (DAST): https://gitlab.com/gitlab-org/gitlab-ee/issues/3956
• Show DAST results in the MR widget: https://gitlab.com/gitlab-org/gitlab-ee/issues/4348

10.5 -

• Improved visualization of SAST results in MR widget: https://gitlab.com/gitlab-org/gitlab-ee/issues/3995
• Add Gemnasium dependency check to SAST: https://gitlab.com/gitlab-org/gitlab-ee/issues/4682

10.6 -

• Support SAST for Java applications (Maven): https://gitlab.com/gitlab-org/gitlab-ee/issues/4123
• Add authentication options to DAST checks: https://gitlab.com/gitlab-org/gitlab-ee/issues/4504 Stretch

10.7 -

• SAST for C/C++: https://gitlab.com/gitlab-org/gitlab-ee/issues/4124
• Group security issues panels in the MR widget: https://gitlab.com/gitlab-org/gitlab-ee/issues/4310
• Introduce explanation question mark icon tooltips MR widget for different tests: https://gitlab.com/gitlab-org/gitlab-ee/issues/4464 Stretch

Related

1. Common metric format => Shared between code quality, SAST, DAST, load testic
2. EEP Enterprise Dashboard
3. Signal to noise ratio
4. Use against external targets
5. Add DNS DB
6. Constant Deployment https://gitlab.com/gitlab-org/gitlab-ee/issues/3363
7. OpenVAS https://gitlab.com/gitlab-com/infrastructure/issues/2483

Original Timeline

1. 10.2 SAST => Ruby and Node 1. Auto SAST: https://gitlab.com/gitlab-org/gitlab-ee/issues/3723 1. Show SAST results in MR widget: https://gitlab.com/gitlab-org/gitlab-ee/issues/3775 1. 10.3 SAST => language detection shared between test and SAST, 5 more languages 1. 10.4 DAST => dynamic scanners (new director of security can help) 1. 10.5 Common metric format => Shared between code quality, SAST, DAST, load testic 1. 10.6 EEP Enterprise Dashboard 1. 10.7 Signal to noise ratio 1. 10.8 Use against external targets 1. 10.9 Add DNS DB 1. 10.10 Constant Deployment https://gitlab.com/gitlab-org/gitlab-ee/issues/3363 1. 10.11 OpenVAS https://gitlab.com/gitlab-com/infrastructure/issues/2483