Within the early days of software safety, the go-to for each group trying to safe their purposes targeted on two kinds of scanning engines solely – SAST to investigate and safe supply code and DAST to check in opposition to a deployed or operating software.
This strategy has modified in at the moment’s AppSec world as there’s a want for platform that provides a variety of scanning engines that match the a number of domains of recent software improvement, akin to SAST, SCA, Infrastructure as Code, API safety, and so on. Additionally, as a result of pace and complexity of recent software improvement, it has change into crucial that any scanning engine matches seamlessly into the developer’s pipeline to not interrupt workflows or delay supply.
And, admittedly, it’s this pattern of recent software improvement that has resulted in some AppSec specialists shifting away from DAST and different runtime options to concentrate on pre-deployment scanners, akin to SAST and SCA.
Nonetheless, this pattern is about to alter once more. Not solely does Checkmarx One provide all of the scanning engines that one would anticipate (after which some, akin to provide chain safety, IaC safety, and API safety), however our strategy to DAST is ready to carry it again into the mainstream.
Getting Began with DAST
Creating Environments and Working a Scan
Since DAST executes in opposition to a operating software, we have to create an Surroundings to outline the applying to be examined. That is the place the surroundings’s identify, URL, and kind (net or API) are outlined together with non-obligatory fields for tags and teams:
Checkmarx One helps each net and API surroundings varieties. API environments have extra fields to add API documentation recordsdata and hyperlink the surroundings to a venture. See the API Safety Integration part for extra particulars.
You possibly can provoke a DAST scan both manually through the Checkmarx One portal (which we are going to cowl on this part) or utilizing the DAST CLI, which could be run independently or as part of a construct pipeline.
After creating the surroundings, it is going to be seen within the environments checklist and is able to scan:
Hovering over the surroundings will reveal an motion menu the place we are able to begin a scan, overview outcomes, and duplicate the surroundings ID (wanted for pipeline integration).
Choosing the scan choice will open the new scan wizard the place a configuration file is supplied to outline scan settings, consumer accounts, authentication methodology, and so on.
After offering the configuration file, we’re prepared to start the scan:
We are able to then use the View motion to dive into the scan outcomes:
API Safety Integration
As we talked about above, one of many key synergies in Checkmarx One is the correlation between API Safety and DAST, the place DAST can leverage the APIs that have been found by API Safety to drive the protection of the DAST API scan.
It’s straightforward for customers to hyperlink a DAST API surroundings with a Checkmarx One venture to robotically eat any API Safety outcomes. We merely want to pick a venture within the venture drop-down:
Viewing Checkmarx One DAST Outcomes
And at last, let’s take a look at find out how to overview and triage our DAST outcomes which we are able to dive into utilizing the surroundings’s view choice:
Particular person findings could be investigated intimately by clicking on the difficulty itself. Right here, on the chance element web page, we are able to discover the extra data for this vulnerability, akin to its threat rating, methodology, parameters, assault string, and so on. in addition to an in depth description on the vulnerability kind and determination and remediation recommendation:
And most significantly, every DAST vulnerability additionally consists of Proof that has a fast hyperlink to repeat the request and assault string to your native clipboard – this permits for straightforward validation of outcomes:
Study extra
To study extra about Checkmarx DAST, you possibly can see it in motion right here or contact your Checkmarx account workforce.
