🎨 Design: make on-demand scan area scalable for other type of scans
Background
Currently, an on-demand scan is only for DAST. There is a need for fuzzing users to use it; there are needs to use another type of scan that is outside of the CI/CD circle. The top ones we know are fuzzing and dependency scan
Fuzzing has done an MVC design and research elaborate the on-demand scan for continuous fuzzing testing, which can be used as a reference, how the first step of making fuzzing part of on-demand looks like, but from the research, we also got feedbacks what should be improved, for this issue, we can think of some future visions how we want on-demand scan finally look like rather than work on a boring solution.
- design issue: #266964 (closed)
- Figma:https://www.figma.com/file/iKVb1JXx9fKXdZLbc26l5y/Continous-Fuzzing?node-id=82%3A1620
- Research result:
- summary epic: &4379
- dovetail: https://dovetailapp.com/projects/8f12ca78-b52e-4031-9a8d-f32f6202b193/insights/present
JTBD
When I am configuring a security scan outside of CI/CD, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure in production.
Target Persona
Scenario
Here are some scenarios
-
As a security person, sometimes before release, I need to run targeted scans besides CI/CD security scans. Targeted scans can run for a long time as they do deep scans. Depending on the need, sometimes I use fuzzing, which might find risks other scanners missed. Fuzz scans can run for 1-2 days as needed so I usually check on it every morning or wait to get a notification that there is something found.
-
As a security person, sometimes I get requests to run certain scans outside of CI/CD, a dependency scan is usually requested, so I need to run it and report the findings.
-
As a security person, I am responsible for scans outside of CI/CD, I need to fine-tune the configuration of the scan based on results, sometimes the first test didn't find very much so I need to see what's going on and try it again. When I determine that a certain configuration works very well, I want to save it so I can reuse it later.
Tasks
- Create different scans for different types of scanners
- manage different scans: stop/pause/delete
- Change configuration different types of scanners
- Check result for a particular scan
- Check all results run to understand a certain time