Running DAST in CI/CD for Regression Testing

Andreas Wiese23 Jan 2024
AppSecDevSecOpsDAST

In the fast-paced field of software development, ensuring applications remain functional and secure through updates is essential. Regression testing, which checks that new code doesn't harm existing features, is key. Dynamic Application Security Testing (DAST) tools play a crucial role here. They identify security flaws in active web applications. This article explores the importance of DAST tools, integration, and enhancement in regression testing.

Understanding DAST Tools

DAST tools are specialized software that tests an application from the outside. They simulate external attacks on a web application, identifying security flaws such as cross-site scripting, SQL injection and other vulnerabilities that attackers could exploit.

One of the benefits of DAST tools is their ability to analyze applications in their running state, just as an attacker would. This approach offers a realistic assessment of security vulnerabilities in real-world conditions.

Unlike Static Application Security Testing (SAST) tools, which analyze source code, DAST tools like open-source Zap and Invicti do not require access to the source code. This distinction makes DAST tools helpful in testing third-party applications or services where source code access is unavailable. Moreover, they are often easier to use and can be implemented without a deep understanding of the application’s internal workings.

In the following example our Python script demonstrates how to set up an authenticated scan with OWASP ZAP. It involves creating a context, configuring authentication (form-based in this example), setting up a user, and then running both the spider and active scan as that user:

from zapv2 import ZAPv2
import time

# Configuration
target = 'http://example.com'
api_key = 'your-api-key'
zap_proxy = 'http://127.0.0.1:8080'

# Connect to OWASP ZAP API
zap = ZAPv2(apikey=api_key, proxies={'http': zap_proxy, 'https': zap_proxy})

# Configure Context and Authentication
context_id = zap.context.new_context('exampleContext', apikey=api_key)
zap.context.include_in_context('exampleContext', target + '.*', apikey=api_key)
zap.authentication.set_authentication_method(context_id, 'formBasedAuthentication', 
                                             'loginUrl=' + target + '/login&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D', 
                                             apikey=api_key)
zap.authentication.set_logged_in_indicator(context_id, 'pattern', apikey=api_key)
zap.authentication.set_logged_out_indicator(context_id, 'pattern', apikey=api_key)

# Set up a user
user_id = zap.users.new_user(context_id, 'testUser', apikey=api_key)
zap.users.set_authentication_credentials(context_id, user_id, 'username=test&password=secret', apikey=api_key)
zap.users.set_user_enabled(context_id, user_id, True, apikey=api_key)

# Start Spider and Active Scan
zap.spider.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)
while int(zap.spider.status()) < 100:
    time.sleep(2)
zap.ascan.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)

The Role of Regression Testing

A 4 element schematic that illustrates the advantages of DAST in regression testing: Real World Testing, No Source Code Needed, Vulnerability Detection, Complementary Testing

Regression testing is integral to maintaining software quality and reliability. It involves re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change. 

Whether the change is a bug fix, a new feature, or a code enhancement, regression testing helps confirm that the new code has not introduced new faults or caused regression of existing functionality.

In the fast-paced environment of continuous integration and continuous deployment (CI/CD), regression testing ensures that new code integrations do not break or degrade the application. This testing is not just about finding bugs. It's about verifying that the application continues to meet its requirements and function as expected.

Integrating DAST Tools into Regression Testing

Implementing Dynamic Application Security Testing (DAST) tools effectively in regression testing is important for identifying security vulnerabilities in web applications. The key lies in integrating these tools into the testing process, for example:

  • Incorporate DAST Early in the Development Cycle: Integrate DAST tools early and throughout the development lifecycle to catch vulnerabilities as soon as possible
  • Automate DAST in CI/CD Pipelines: Include DAST scans in Continuous Integration/Continuous Deployment (CI/CD) pipelines to test new code automatically commits for vulnerabilities.
  • Contextualize DAST Findings with Regression Tests: Use DAST tool findings to inform and refine regression testing strategies, focusing on areas where changes are most likely to introduce vulnerabilities.
  • Feed DAST with Manual Findings: All new DAST tools provide an easy way for importing results with manual findings, such as pentest results or red team efforts, to enhance the overall assessment.

By following these best practices, organizations can effectively leverage DAST tools in regression testing, enhancing the security and robustness of their web applications.

DAST Tool Mechanics

Illustration that shows the 4 steps of DAST tools: External Simulation, Vulnerability Scanning, Response Analysis, Reporting

DAST tools operate by simulating an external attacker trying to breach the application. They typically perform automated black-box testing, meaning they cannot access the source code or the application's internal structure.

These tools scan for a wide range of vulnerabilities, including but not limited to input validation errors, broken authentication mechanisms, and misconfigured security settings.

The algorithms used by individual DAST tools vary but generally involve sending a series of malicious inputs to the application and observing the response. If the application reacts unexpectedly or insecurely, the tool flags it as a potential vulnerability. This method allows DAST tools to identify weaknesses that might not be visible in the source code.

Optimizing Testing with DAST Tools

Illustration providing details about the 6 components of best practices in DAST and regression testing: Aumate Testing, Regular Updates, Team Collaboration, Reduce False Positives, CI/CD Integration. Prioritize Vulnerabilities.

Effective optimization strategies include regular and comprehensive scanning schedules, integrating DAST tools into the CI/CD pipeline for automated scanning and continuously updating the tool’s knowledge base to recognize the latest vulnerabilities and attack patterns.

Another crucial aspect is to minimize false positives – incorrect identifications of vulnerabilities. This can be achieved by fine-tuning the tool’s settings and regularly updating its rules and signatures based on the application’s evolving landscape. Collaborative efforts between security and development teams can also enhance the effectiveness of DAST tools, ensuring that findings are accurately interpreted and addressed promptly.

Enhancing DAST and Regression Testing with Security Orchestration

In the context of DAST and regression testing, security orchestration can streamline the testing process, making it more efficient and effective. By coordinating different security tools, orchestration platforms can provide a more comprehensive view of an application’s security posture.

Implementing security orchestration in regression testing involves integrating DAST tools with other security solutions like SAST or vulnerability scanners. This includes converting them into the right format and retesting in the pipeline. Using orchestration then enables powerful automation workflows across different tools and app specific risk scoring. It ensures that known vulnerabilities are not pushed to production. 

The Kondukto Application Security Orchestration and Posture Management platform allows best of breed DAST solutions, like Veracode or Invicti, to re-test vulnerabilties and utilizes them in the CI/CD pipelines.  For example, here is how you would do this with Kondukto’s open-source CLI tool kdt:

# This command will trigger a "re-test" scan on the Invicti to ensure that they've been fixed.
kdt scan -p $ProjectName -t invicti –scan-params=type:re-test 

Conclusion

DAST tools ability to simulate real-world attacks and identify vulnerabilities in running applications makes them an invaluable asset. Organizations can significantly enhance the security and reliability of their software products by effectively integrating and optimizing these tools within the testing pipeline. As the software development landscape continues to evolve, taking advantage of DAST tools using a security orchestration platform will give you the automation capabilities to keep up.

Get A Demo