BBD: Quick Scan mode
Problem to solve
Browser-based DAST increases crawl coverage as compared to Proxy-based DAST. This gives the benefit of providing more comprehensive vulnerability findings, but comes at the cost of performance. ZAP was faster than browser-based DAST in large part because significantly fewer actions were taken on each page of an application. As we remove proxy-based DAST and migrate all customers to browser-based DAST, some customers may be unhappy with browser-based DAST's performance if they are accustomed to faster performance (and worse coverage) with ZAP.
Proposal
Provide different default scan modes customers may select, which automatically configure browser-based DAST variables for them. Selecting Quick mode would reduce the length of time a DAST scan takes, while also increasing the likelihood of false negatives--so it should come with a warning. All configuration defaults would need to be documented, and a disclaimer would need to be added to ensure customers understand they are more likely to experience false negatives.
| Performance Lever | Action | Rationale |
|---|---|---|
| Checks | DAST_EXCLUDE_RULES 798.1-798.128. | Secret Detection can be handled by Secret Detection rather than DAST. |
| Checks | DAST_EXCLUDE_RULES 16.10, 16.4, 16.8, 16.9, 319.1. | Exclude checks that only result in "info" severity level as the results are not as critical to address. |
| DAST_BROWSER_NUMBER_OF_BROWSERS 4 | One additional browser recommended beyond the shared .com runner recommendation in our docs | |
| DAST_BROWSER_ACTION_TIMEOUT 3s | Only allow the browser 3s to complete an action. | |
| DAST_BROWSER_CRAWL_TIMEOUT 15m | Complete the crawl phase in 15 minutes or less | |
| DAST_BROWSER_EXCLUDED_ELEMENTS | What can we reasonably exclude here? | |
| DAST_BROWSER_MAX_DEPTH 3 | Reduce the number of actions that can be chained | |
| DAST_TARGET_AVAILABILITY_TIMEOUT 10 or DAST_SKIP_TARGET_CHECK | Timeout after 10 seconds if target isn't available or skip that check altogether | |
| DAST_BROWSER_STABILITY_TIMEOUT 2s | Wait only 2 seconds before considering a page loaded and ready for analysis | |
| DAST_BROWSER_SEARCH_ELEMENT_TIMEOUT 2s | Only allow the browser 2 seconds to search for new actions/elements | |
| DAST_BROWSER_NAVIGATION_TIMEOUT 5s | Only allow the browser 5 seconds to navigate to another page | |
| DAST_BROWSER_MAX_ACTIONS 5000 | Only allow the crawler to perform 5000 actions |
Does this feature require an audit event?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.