Show browser-based DAST vulnerability check execution time in scan summary
Problem to solve
Different DAST scan rules take varying amount of time to complete depending on the target web application. If scan rule execution time is provided in the scan summary it will help to identify the long running scan rules. Users can then take action on long running scan rules like disable them if it's not important/relevant or tweak the scans parameters to make the rule complete fasters. This will ultimately help users to configure faster and effective DAST scans.
This issue was created from the original idea in #232801 (closed). As we are moving away from ZAP, the original issue is not going to be implemented. However, the idea is still something that we should look into for browser-based DAST.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
- Allison (Application Ops)
User experience goal
User should be able to see execution time of each scan rule in the scan summary e.g
PASS: Cross Site Scripting (Persistent) - Prime [40016]: Took 10 minutes
PASS: Remote Code Execution - Shell Shock [10048]: Took 150 minutes
PASS: Cross Site Scripting (Persistent) - Spider [40017]: Took 20 minutes
PASS: Script Active Scan Rules [50000]: Took 7 minutes
PASS: Source Code Disclosure - Git [41]: Took 2 minutes
PASS: Source Code Disclosure - File Inclusion [43]: Took 30 minutes
Now user can identify Remote Code Execution - Shell Shock [10048]
takes 150 mins and is the major reason the scan takes longer time to complete. User can now make a call if this rule is applicable to the target application or is it worth running this rule for 150 minutes and disable or keep it running.
Proposal
Based on this comment, we should inject the generic statistics object into the checks so we can track execution times. We should that print that in the job output log so users can see how long each check has taken.
Implementation Plan
TBD