Cyber Security

How do I integrate automated DAST scanning into a high-velocity Jenkins CI/CD pipeline?

HE Asked by Heather Miller · 15-05-2024
0 upvotes 13,450 views 0 comments
The question

We have successfully integrated SAST into our development workflow, but we are struggling with Dynamic Application Security Testing (DAST). Every time we run a full OWASP ZAP scan in our Jenkins pipeline, it takes hours to complete, which completely defeats the purpose of "Continuous Deployment." Is there a way to run incremental DAST scans or focused attacks on only the changed components? How do we handle the authentication tokens required for the scanner to reach the protected routes of our web application without exposing them?

 

3 answers

0
JE
Answered on 17-05-2024

To maintain velocity, you should move away from running a "Full Scan" on every commit. Instead, implement a "Baseline Scan" for daily builds and a "Full Scan" for weekly deep-dives. You can use the OWASP ZAP API to target specific URLs that were changed in the latest pull request. Regarding authentication, use a "sidecar" container in your Jenkins agent that handles the OIDC or JWT token exchange. By storing these credentials in Jenkins Secrets and injecting them as environment variables at runtime, the scanner can access protected routes securely. This "Shift Left" approach ensures dynamic vulnerabilities like XSS or SQL injection are caught early without stalling the production release.

 

0
ST
Answered on 20-05-2024

Are you currently using "Passive Scanning" during your integration tests to identify security headers and cookies without adding any extra time to the build process? 

DA 21-05-2024

Steven, that is a brilliant suggestion. We just configured ZAP to act as a proxy during our Selenium UI tests. Since the UI tests are already running, ZAP just "listens" to the traffic and flags missing security headers like 'X-Frame-Options' or 'Content-Security-Policy'. It adds zero seconds to our total pipeline time but still gives us a comprehensive look at the front-end security posture. We also set up a threshold where the build only fails if it finds a 'High' severity alert, which has significantly reduced the noise for our developers.

0
RO
Answered on 24-05-2024

The key is to run your heavy DAST scans asynchronously. Let the deployment happen to a staging environment, and trigger the scan as a separate job that doesn't block the main pipeline. 

HE 25-05-2024

I agree with Robert. We use a 'Post-Deployment' hook. If the DAST scan finds something critical, it automatically triggers a rollback of the staging environment to ensure we don't accidentally promote a vulnerable build.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session