DAST

Dynamic Application Security Testing (DAST) tests your application while it is running — simulating real-world attacks against a live environment to uncover vulnerabilities that are invisible to static code analysis. Unlike SAST, which examines source code at rest, DAST interacts directly with a deployed application to find runtime weaknesses that only manifest under actual conditions.

DAST is a black-box security testing method that identifies vulnerabilities and security flaws in live or running applications. This technique works by simulating attacks on a live or production environment by sending malicious inputs and analyzing responses to uncover weaknesses.

OpsMx Delivery Shield integrates with OWASP ZAP — enriching the functionality and working of ZAP. This integration offers capabilities such as automated scanning, Intercepting Proxy, Spidering and Crawling, Passive and Active scanning, and Fuzz testing to identify vulnerabilities and security gaps in a live application.

How DAST Works in OpsMx Delivery Shield

Delivery Shield enhances the ability to assess the security posture of applications in their operational state using ZAP, by actively testing it for vulnerabilities. Whenever a new image is deployed in an application service, the deploy event is received by SSD from any of the deploy tools such as Argo CD, Spinnaker, or Jenkins. The endpoint details are provided in the ZAP integrator, which then runs the scan to identify any vulnerabilities.

The fetched results are available in the Post Deploy section of the DBOM page.

The DAST scan lifecycle in Delivery Shield follows this flow:

Deploy event received — Argo CD, Spinnaker, or Jenkins notifies Delivery Shield of a new image deployment
Endpoint configured — Service URL and configuration parameters are collected from the ZAP integrator
Scan initiated — OWASP ZAP launches an automated scan against the live application endpoint
Crawl & map — ZAP spiders the application, mapping all entry points, URLs, parameters, and forms
Attack & analyze — Active scans simulate real attacks; passive scans monitor traffic for security issues
Results surfaced — Findings appear in the Post Deploy section of the DBOM page and the unified Delivery Shield dashboard
Policy enforcement — Results are evaluated against security policies and can block further deployments if critical issues are found

Supported Tool

Tool

Role

OWASP ZAP (Zed Attack Proxy)

An open-source web application security testing tool developed by OWASP, widely used for identifying vulnerabilities in web applications during development and testing phases.

Why Use DAST in OpsMx

SAST and SCA catch code-level and dependency risks — but many vulnerabilities only appear at runtime, in a live environment with real network traffic, session handling, and authentication flows. DAST completes the application security picture by testing the application the same way an attacker would.

Dynamic Application Security Testing is a cornerstone of modern application security. By identifying vulnerabilities in live applications, DAST helps protect against threats like SQL injection, XSS, and CSRF. Frequent scans aligned with OWASP Top 10 guidelines and integration with CI/CD pipelines ensure continuous security in fast-paced development environments.

OpsMx uses DAST in Delivery Shield to:

Test what attackers actually see — runtime behavior, session handling, live endpoints, and API responses
Automate post-deployment security validation — every new deployment triggers a DAST scan automatically
Unify runtime findings with SAST, SCA, Secrets, and SBOM data in a single security posture view
Block risky deployments using policy enforcement when critical runtime vulnerabilities are found
Meet compliance requirements — OWASP Top 10 coverage supports SOC 2, PCI DSS, NIST 800-53, and other frameworks

Scan Types

OpsMx Delivery Shield supports all major ZAP scan modes:

Passive Scanning

Monitors traffic via a proxy to detect security issues like missing headers, information leakage, and outdated server technologies — without altering data. Safe to run in production as it does not actively send attack payloads.

Active Scanning

In-depth scans by simulating targeted attacks — SQL Injection, XSS (Cross-Site Scripting), Command Injection — to identify severe vulnerabilities that hackers could exploit.

Authenticated Scans

Authenticated scans involve logging into the application with valid credentials to test internal functionalities, including role-based access controls and user-specific vulnerabilities.

Non-Authenticated Scans

Non-authenticated scans focus on the application's public-facing components, identifying vulnerabilities accessible without credentials, such as login pages or publicly available APIs.

Ad-Hoc Scanning

DAST has been integrated into the Ad-hoc scanning workflow. Essential details such as the service URL and related configuration parameters are collected from the ZAP integrator, and once this information is gathered, the scan is initiated using OWASP ZAP to identify potential security vulnerabilities.

Key Capabilities

Intercepting Proxy

Acts as a "man-in-the-middle" to analyze, modify, and monitor requests and responses, uncovering hidden vulnerabilities undetected by black-box scanning alone. This gives security teams full visibility into how the application communicates and handles data in transit.

Spidering & Crawling

Automatically crawls web applications — mapping the entire architecture and entry points, collecting URLs, parameters, and forms for comprehensive vulnerability detection. This ensures no endpoint or form field is missed during scanning.

Fuzz Testing

Fuzz testing tests API endpoints, form fields, and query parameters with a variety of payloads to identify input validation flaws — identifying any gaps in application security.

Session Management Testing

Session Management tracks session states, cookies, and tokens to test authenticated roles, privilege escalation, and logic bugs in workflows. This can help uncover anomalies, alerting teams of shortcomings in application security posture.

Custom Scripts & Extensibility

You can use OpsMx's integration with OWASP ZAP to write custom scripts in JavaScript, Python, or Groovy, and modular add-ons to adapt to specific testing requirements.

Custom Scan Policies

The ZAP integration allows users to select a specific scan policy before triggering a DAST scan — tailoring the depth, scope, and type of tests to match the risk profile of each application or environment.

CI/CD Pipeline Integration

Scans are automatically triggered during specific stages of the development lifecycle. You can integrate and automate vulnerability scans within the CI/CD pipeline using OpsMx.

Vulnerability Coverage — OWASP Top 10 Aligned

OWASP ZAP performs in-depth analysis to uncover vulnerabilities aligned with OWASP Top 10 guidelines.

Vulnerability Category

Examples Detected

Injection Flaws

SQL Injection, NoSQL Injection, OS Command Injection

Broken Authentication

Weak credentials, missing security headers, session-related issues

Cross-Site Scripting (XSS)

Reflected, stored, and DOM-based XSS

Sensitive Data Exposure

Missing TLS/SSL, weak encryption, information leakage

Broken Access Control

Forced browsing, IDOR, privilege escalation

Security Misconfiguration

Missing headers, outdated server technologies, exposed endpoints

Cross-Site Request Forgery (CSRF)

Forged requests exploiting authenticated sessions

API Security Issues

OWASP API Top 10 — broken object level authorization, excessive data exposure, API misconfigurations

API Security Testing

ZAP is a powerful open-source API security testing tool. It helps identify vulnerabilities and security risks in web applications and APIs. It can detect issues such as SQL Injection, XSS, Broken Authentication, and API misconfigurations.

ZAP supports API scanning via imported definitions:

API Type

Support

OpenAPI / Swagger

Full support — import and scan all endpoints automatically

SOAP

Supported

GraphQL

ZAP supports GraphQL introspection, query fuzzing, and detecting common vulnerabilities like injections and excessive data exposure.

To Access DAST in Delivery Shield

Navigate to Setup → Integrations. In the Post Deploy panel, click ZAP. You can use the toggle button provided below the integration tile to enable or disable it as needed.

Add the service URL and authentication credentials (if running authenticated scans) in the ZAP integrator
Select a Scan Policy to define the scope and depth of the scan
Choose scan type — Passive, Active, Authenticated, or Ad-hoc
Save the configuration — DAST scans will trigger automatically on the next deployment event
View results in the Post Deploy section of the DBOM page and the Vulnerability Management page

To View Results in Delivery Shield

DAST scan results are surfaced in the following locations:

Post Deploy section of the DBOM page — all ZAP scan results tied to the deployment record for full traceability
Vulnerability Management page — findings categorized by severity with CVE details and remediation guidance
Top 5 Vulnerabilities tab — quick visibility into the most critical risks for faster prioritization and remediation
Security Issues: Enterprise View — tracks overall security gaps across all applications.

PreviousDynamic Testing & API Security NextHow to do a DAST Scan

Last updated 1 month ago