DAST Baseline benchmark
Problem to solve
As a DAST PM, I want to validate that the vulnerability detection rate for DAST has not gone down between releases and that no false positives have been introduced, so that I know that the quality of the DAST tool has not gone down.
Intended users
User experience goal
The user should be able to look at a baseline benchmark report that was generated by running DAST against multiple vulnerable applications with known vulnerabilities and validate that no false positives or false negatives were introduced.
Proposal
We should create a system by which our DAST tool is tested with every release against a known list of vulnerabilities in multiple vulnerable web apps and document the outcome. A list of possible applications for inclusion can be found at http://www.vulnerablewebapps.org/. The first two that should be included in the baseline should be:
-
DVWA -
OWASP Juice Shop -
WebGoat