Dynamic Application Security Testing (DAST)
Description
Dynamic Application Security Testing (DAST) allows you to test an application with a black box model, simulating an attacker that is trying to break into a running instance.
Proposal
Implement DAST for applications from within GitLab.
Leveraging Review Apps, we have a production-like environment where the application is running and reachable from GitLab. This is the best candidate to be tested with DAST, so we can spot potential problems and fix them even before the vulnerable code is merged into master
. Also, since it is an ephemeral environment, there is no risk to create persistent unwanted changes to the application.
We should carefully check which applications will be tested by DAST, because since they are connecting to external hosts, a malicious user can try to use it for unauthorized attacks against third-party applications.
Future
Implement DAST also for external applications, considering what this implies from a security/legal point of view. A possible mitigation of the threat is to use an instance setting to enable/disable this feature, so it can be disabled on shared instances (like GitLab.com) and used only for on-prem installations.
Links / references
- Application Security Testing (SAST, DAST, and Recon): https://gitlab.com/gitlab-org/gitlab-ee/issues/3878