Category Maturity Scorecard - Secure:Dynamic Analysis FY22-Q1 - Verifying "Viable" status

What’s this issue all about?

To assess the current state of Dynamic Analysis and verify its current maturity as Viable.

Who is the target user of the feature?

• 5 software engineers (all GitLab team members) → Scenario 1 only
• 5 security analysts/engineers (all GitLab team members) → Scenario 2 only

JTBD

• When I am ready to release changes into production, I want to verify it is safe to release, so I can release the changes responsibly.
• When I am assessing the security of my application in production, I want to know whether my app is currently vulnerable, so that I can address detected business-critical vulnerabilities.

What questions are you trying to answer?

• Understand if DAST can actually be considered Viable (it has not gone through a CMS to verify this status)
• Understand how the following changes have impacted DAST’s maturity rating:
  • Introduction of on-demand scans
  • Ability to configure pipeline scan for a specific type of app
  • Ability to configure pipeline scan in UI

Research Results

The DAST Category Maturity Scorecard (CMS) to verify Viable maturity resulted in a rating of 3.5, which is towards the top of the Viable range. This score officially verifies DAST's maturity as Viable and keeps it on track to advance to Complete maturity by 2022-04-30.

• Reseach inights: https://dovetailapp.com/projects/hOq5Mq88M2XvhcIRlVgGa/insights/present
• CMS issue: gitlab-design#1560 (closed)
• Script: https://docs.google.com/document/d/1Crfi90TlqZbUQm7dOtjdwtFbiMoVuXIwsix3gLUMTUw/edit
• Score calculation spreadsheet: https://docs.google.com/spreadsheets/d/1E3RPPoKC419OQz6Q7Pb82lwg_OvtYsJ1AT7ymi_LoNs/edit#gid=0