Run dynamic application security testing (DAST) on Polaris
With Polaris fAST Dynamic, you can perform rapid, self-service DAST scans of web applications and APIs. Issues found in DAST scans can be viewed alongside SAST and SCA issues, and triaged according to their severity.
fAST Dynamic brings dynamic application security testing (DAST) capabilities to the Polaris platform. DAST is a method of AppSec testing that examines an application in running state, without knowledge of its internal interactions or designs at the system level, and without access or visibility into the source program. This "black box" testing observes an application from the outside in, examines its running state, and observes its responses to simulated attacks made by a testing tool. The application's responses to these simulations help determine whether it's vulnerable and might be susceptible to a real malicious attack.
Prerequisites
Before you begin, make sure that:
- Your organization has a subscription with a DAST entitlement.
- Your subscription has at least one available DAST project.
- An Organization Admin or Organization Application Manager has either:
- Created an application that uses your DAST subscription.
Note: See Create an application for more information.
- Assigned your DAST subscription to a preexisting application.
Note: See Assign subscriptions to applications for more information.
- Created an application that uses your DAST subscription.
- Polaris has network access to the application or API you wish to scan. To run DAST
tests, Polaris communicates with your web-accessible applications or APIs using IPs
that vary between Polaris instances.
Table 1. fAST Dynamic (DAST) IPs Polaris instance IPs (outbound) America, production - 192.231.134.0/24
America, POC European Union, production - 162.244.5.0/24
- You have permissions to create and manage projects.
Note: See Roles and permissions for more information.
About active attacks
If you select the Perform Active Attacks checkbox when creating a DAST project, fAST Dynamic will simulate real-world attacks by sending various inputs and then observing the application's or API's behavior.
Create a DAST project
- Web Applications
- APIs
A target is identified by its Entry Point URL. A separate DAST profile is needed for each target you want to scan. A single target can be used for testing a web application or an API, but not both.
Create a DAST project for a web application target
Create a DAST project for an API target
Test a DAST project
Follow these steps to run a DAST test from the Polaris user interface:
Work with DAST issues
Issues captured in DAST tests are managed like SAST and SCA issues. You can:
- Triage DAST issues (and manually apply fix-by dates). See Ways to triage issues in Polaris.
- Assign issue policies to DAST projects to automate actions when issues are captured in tests. See Issue policies.
- Export DAST issues to CSV or JSON. See How to export issues to CSV or JSON.