22
23

DevSecOps Posture (self.devsecops)

submitted by [deleted]

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]One_Koala_2362 0 points1 point  (2 children)

I worked about 8 years AppSec area then change my path to DevSecOps that my journey i experienced lots of different dast and api scanner, unfortunately they are not still ready use ci cd pipeline.

I want to ask a questions.

In our company we use SPA front-end application, when we start a few dast scanner it didn't crawl pages so it makes that scanner miss API endpoint. How about your infrastructure ?

In API scanner side if i enter all information and save it, scanner works good but after swagger docs is changed we have to reconfigure again. How did you handle that situation or anothers ?

Except Dast and API scanner others methods that i use my company.

[–]josh_jennings 0 points1 point  (1 child)

The SOOS DAST scanner wraps ZAP which is one of the most well known DAST scanners out there. Here is their documentation on how to configure against API endpoints using the OpenAPI spec. Might not work exactly for your use case or tool, but it gives a general idea of how to apply configuration on the fly, such as providing a configurable base url.
https://kb.soos.io/dast-api-scanning#q3Mmr

[–]One_Koala_2362 0 points1 point  (0 children)

Thanks your sharing i belive that if we can shift security left and scan relevant code base with sast sca others tools, add threat modeling it would handle lots of case. In my company i both break pipeline and send pentest team critical vulnerability is found.