Detectify integration for DAST
Problem to solve
Detectify is an automated scanner that checks web application for known vulnerabilities and monitors subdomains for hostile takeovers. It could be a good replacement for customers who don't want to use our ZAP integration.
Intended users
- Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
- Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
- Sam, Security Analyst), https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst
Further details
Our Security Products follow a common report format (Even if DAST doesn't implement it yet: &810 (closed)). As soon as a report if providing the required fields, in a valid JSON file, data can be provided by any kind of scanner.
Proposal
Detectify has an API we can leverage from the pipeline to generate the required report. The results will be display in the Merge Request Security Widget and the Security Dashboards.
Permissions and Security
N/A
Documentation
We will have a new page explaining how to integrate Detectify with GitLab. This page can be linked from the dast page directly, or from a new "integrations for Security Products" page.
Testing
TODO
What does success look like, and how can we measure that?
- Number of users using Detectify for DAST (along with ZAP or not)
What is the type of buyer?
- Ultimate