Tutorial: Setting up DAST with Authentication

Описание: Dynamic Application Security Testing (DAST) helps you identify security weaknesses (CWEs) in your web applications. After you deploy your web application, it becomes exposed to new types of attacks, many of which cannot be detected prior to deployment. For example, misconfigurations of your application server or incorrect assumptions about security controls may not be visible from the source code, but they can be detected with browser-based DAST.

For complete coverage, the DAST analyzer must authenticate with the application being tested. This requires configuring the authentication credentials and authentication method in the DAST CI/CD job.

DAST requires authentication to:
Simulate real-world attacks and identify vulnerabilities that might be exploited by attackers.
Test user-specific features and custom behavior that may only be visible after authentication.

Video Outline
---------------------
00:00 - Introduction
00:34 - Basic DAST Configuration Overview
03:19 - Viewing Discovered Vulnerabilities in Default Branch
05:05 - Adding Authentication to DAST
08:44 - Viewing Discovered Vulnerabilities in Merge Request
10:31 - DAST Artifacts (Auth Log, Crawl Graph)
11:51 - Conclusion

Useful Links
--------------------
DAST Documentation: https://docs.gitlab.com/user/applicat...
DAST Authentication Documentation: https://docs.gitlab.com/user/applicat...
Tanuki Shop Demo Application: https://gitlab.com/gitlab-da/tutorial...
Other DAST Demo Applications: https://gitlab.com/gitlab-org/securit...
GitLab Security Solutions: https://about.gitlab.com/solutions/ap...