- Extend Dynamic Application Security Testing (DAST)
Breach and Attack Simulation (BAS) uses additional security testing techniques to assess the risk of detected vulnerabilities and prioritize the remediation of exploitable vulnerabilities.
For feedback, bug reports, and feature requests, see the feedback issue.
You can simulate attacks with DAST to detect vulnerabilities. By default, DAST active checks match an expected response, or determine by response time whether a vulnerability was exploited.
To enable BAS extended DAST scanning for your application, use the
dast_with_bas job defined
in the GitLab BAS CI/CD template file. Updates to the template are provided with GitLab
upgrades, allowing you to benefit from any improvements and additions.
Include the appropriate CI/CD template:The latest version of the template may include breaking changes. Use the stable template unless you need a feature provided only in the latest template.
For more information about template versioning, see the CI/CD documentation.
Choose one of the following options for running BAS extended DAST scans:
- You’re not using the latest DAST template yet.
- Continue using a stable version of the DAST security analyzer image for DAST scans.
- Create a duplicate
dast_with_basjob which extends your existing DAST job configuration.
- You’re already using the latest DAST template rather than the stable template.
- Extend your existing DAST job to include the latest DAST security analyzer image tag from the Breach and Attack Simulation SEG.
Setup a callback server to enable callback attacks.
To maintain a separate DAST job while testing the BAS extended DAST image:
daststage to your GitLab CI/CD stages configuration.
stages: - build - test - deploy - dast
dast_with_bas: variables: DAST_WEBSITE: http://yourapp
To enable Breach and Attack Simulation features inside of an existing DAST job:
Follow the steps in Create a DAST CI/CD job.
Extend DAST to using the extends keyword to your DAST job’s configuration:
dast: extends: .dast_with_bas
dast_with_basjob included in the BAS template by setting
variables: DAST_BAS_DISABLED: "true"
Perform Out-of-Band Application Security Testing (OAST) for certain active checks.
.dast_with_bas_using_servicesjob configuration using the extends keyword:
dast: extends: .dast_with_bas_using_services dast_with_bas: extends: # NOTE: extends overwrites rather than merges so dast must be included in this list. - dast - .dast_with_bas_using_services
Use a !reference tag to pull in the default
callbackservice container in your
services: # NOTE: services overwrites rather than merges so it must be referenced to merge. - !reference [.dast_with_bas_using_services, services] # NOTE: Link your application container to the dast job and # access it with the hostname yourapp. See more about Docker services at # https://docs.gitlab.com/ee/user/application_security/dast/#docker-services - name: $CI_REGISTRY_IMAGE alias: yourapp
You can also manually enable callback attacks by making sure to:
- Set the
DAST_FF_ENABLE_BASCI/CD variable to
- Enable both the application being tested and callback service container using services.
- Enable container-to-container networking making the callback service accessible in the job.
Address:$YOUR_CALLBACK_URLkey/value pair where the callback service is accessible to the Runner/DAST container.