Content
Methodology
SAST
-
DAST
In our approach to Dynamic Application Security Testing (DAST), we have chosen to utilize OWASP ZAP, a widely recognized open-source web application security scanner. OWASP ZAP is specifically designed for testing web applications and offers a variety of features and tools to identify potential security vulnerabilities.
Introduction to OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is part of the OWASP (Open Web Application Security Project) tools, known for their reliability and effectiveness in the field of web security. It is designed to automatically find security vulnerabilities in web applications while they are running, making it a suitable choice for DAST.
Utilization of OWASP ZAP in Our Testing
For our testing purposes, we adhere to the following procedure:
Use of Default Policy:
For our DAST process, we use the default scan policy of OWASP ZAP. This policy covers a wide range of typical vulnerabilities found in web applications, ensuring our scanning process is thorough and effective. For further details about our scanning approach, please refer to the "SAST/DAST Requirements" article, which provides more comprehensive information.
Dedicated Repository for Testing:
We have established a separate repository, openimis-dynamic-application-security-testing, specifically for conducting Dynamic Application Security Testing. This repository is central to our DAST process.
The application build process occurs in the openimis-dist_dkr repository. Here, we pull the latest version of the application, configure the necessary environment (including setting up the .env file), and deploy the application using Docker Compose.
This approach allows us to maintain a clear separation between the application building and security testing processes, ensuring a structured and focused DAST workflow.
Performing the Analysis:
Once the application is running in its dockerized environment, OWASP ZAP performs an automated security analysis on it.
The target for the analysis is the running instance of the application, typically accessed at http://localhost:80.
This setup ensures that the security analysis is performed in an environment that closely mirrors the production setup, providing accurate and relevant security insights.
Conclusion
By integrating OWASP ZAP into our DAST methodology, we aim to proactively identify and mitigate security vulnerabilities in the openIMIS application. This approach aligns with industry best practices for web application security and contributes to the robustness and reliability of our application.
Result Summary
SAST
-
DAST
Remediation
SAST
-
DAST
Report
SAST
-