Automating DAST scans

Incorporate dynamic scanning in your functional testing.

In the world of DevOps it's increasingly important to be able to incorporate security scans in the functional testing process for your web applications. If you use an automation framework (such as Selenium), you can take advantage of the scripts that are already written to create tailor-made scans:
  • The requests from the automation framework to the web application are sent through the Proxy Server proxy.
  • The server records the traffic and saves it as a dast.config file.
  • Upload the file to be used by Application Security on Cloud as Explore data for a scan.
  • Send traffic through the automation server proxy manually, to create a dast.config file.
Figure 1. Automated Scan Flow
ASoC Automation Workflow:
  1. Initialization (once per AppScan Presence server):
    1. Creating the AppScan Presence
    2. Configuring a Private Site Server proxy for the Presence
    3. Start the AppScan Presence.
    4. (Optional) Install root certificate to avoid SSL warnings (see Configuring the HCL AppScan Traffic Recorder).
  2. Running scans:
    1. Start proxy listening on specified or randomly selected port, as configured (see Starting and stopping the HCL AppScan Traffic Recorder).
    2. Run your Selenium script (or other functional test) through the selected proxy,

      OR

      Browse your web application manually using a web browser configured to work through the selected proxy.

    3. Stop the proxy and save the traffic recording.
    4. Publish to ASoC using the ASoC REST API, by creating a new scan under a particular application. See REST API.

You can download our demo script for this workflow using the REST API. Download demo script.