Identify DAST plugins to be disabled
Problem Statement
DAST includes a lot of vulnerability checks of varying complexity and maturity. GitLab has not historically taken the extra steps necessary to identify which checks are necessary and which should be disabled.
We need to systematically identify which plugins bring value to our customers and disable those that do not. This has multiple benefits:
- Reduces FP rates since immature plugins will be disabled
- Reduces alert fatigue from our customers
- Potentially reduces scan time.
A list of problematic plugins, from a coding standard, have been identified already:
- https://docs.google.com/presentation/d/1GECtSSX-Jk8I2TVerXCZwgf8cBByi63ns-H90fveQ7o/edit#slide=id.g84facb0326_0_178
- https://docs.google.com/presentation/d/1B5_fx7ljy2xH289YQTehNg3Z7dYkj27Xe7FC-_D2ByY/edit#slide=id.g84facb0326_0_178
However we should review our benchmark results, and potentially add new test cases to ensure the validity of each check, and disable those that do not show value.
Reach
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (Devops Engineer)
- Sam (Security Analyst)
- Simone (Software Engineer in Test)
3.0
Impact
2.0
Confidence
80% = Medium confidence
Effort
A majority of the upfront work has already been completed by going through the source of each Zap plugin. The biggest challenge is everyone agreeing on which plugins or tests are safe to disable, since we do not have user metrics at our disposal.