Enable DAST scanning of MFA enabled websites

Problem to solve

Enable Multi-Factor authentication for Authenticated DAST scans

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

Further details

more and more sites are requiring MFA to operate. this is especially true for the High-Risk environments like the Government. As new sites are being developed with MFA, DAST functionality needs to be able to address the use case where a preview application is scanned with appropriate access level so as to not only rely on MFA but also be able to identify any vulnerabilities further in the authenticated areas. Currently the DAST functionalty does not allow configuration of using MFA to scan the target website.

Proposal

Implement the ability to scan a MFA enabled website by allowing to store ans pass through certain Authentication parameters to the DAST scanner.

Permissions and Security

Same as Security Dashboard

Documentation

Documents that will need to be updated: https://docs.gitlab.com/ee/user/application_security/dast/l

Testing

Testing should include:

1. Setting up a site with MFA such as a X.509 cert and scanning it with DAST
2. Serting up a site with a test validation code sent to an email that is fed back to the DAST scanner to authenticate with the site.

What does success look like, and how can we measure that?

Security analyst can fully adopt the GitLab Secure DAST in the Development phase if they are able to get past the MFA requirements of the website. Developers will get a clearer picture of what could happen if/when MFA is compromised or in the case of an insider threat.

What is the type of buyer?

Ultimate

Links / references