Problem Validation: DAST: Viable to Complete
Problem Statement
Customers want a full-featured, trustworthy DAST tool that has reliable results and is integrated into their DevOps lifecycle and build pipelines, so that they can validate their applications by finding and fixing vulnerabilities earlier in development, instead of finding them after deployment.
We know that we are lacking in some core functionality that is necessary for our customers to consider our DAST tool in "Complete" maturity. However, we do not have full visibility into exactly what is missing. We do know some of the updates that are needed, such as fewer false positives, but the larger feature set is not fully known. As we work on the known features, we need to validate the full set of features needed to bring DAST to complete maturity.
Features needed for Complete maturity
This section will evolve as we complete the research project.
- Reduce false positive rate by greater than 50%
- De-duplicate results to reduce the number of vulnerabilities (i.e. only showing one result for missing headers for the entire app)
- Easier configuration of DAST scans and the possible options
- Scriptable or recordable tests for specific workflows
- The ability to run a "one-off" scan, not related to a merge request
- User agent customization
- Header customization
- Cookie customization (including authentication)
- SSO authentication (priority of SSO implementations to be determined)
- OAuth 2.0
- SAML 2.0
- LDAP
Reach
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (Devops Engineer)
- Sam (Security Analyst)
- Simone (Software Engineer in Test)
I believe that bringing DAST to Complete maturity would help to shift DAST testing left. As this would greatly increase the reach of the DAST scans, I think that it should be considered to have a significant reach at 3.0.
Impact
I believe that this would help to boost the value of the Ultimate and Gold plans by providing a complete DAST tool that is competitive to other stand-alone DAST tools on the market. As such, I think that this will provide a High impact at 2.0.
Confidence
We know that this is a problem because we have customers asking us to mature the DAST capabilities and provide more functionality. I would put this at 100% confidence.
Effort
It is unknown at this time what the effort would be for this. For reducing the false positives, the effort is likely a 3 to 5.