Dynamic Application Security Testing

Acceleration

Phase: test

CFR

Quick Reference

Phase

test

Epic

Advanced Testing & Performance Validation

Milestone

Acceleration

Target

>= 70% apps DAST scanned weekly

Implementation Time

Part of Advanced Testing & Performance Validation epic: 4.5 weeks (36 hours per capability avg)

What & Why

Definition

>= 70% of web apps scanned with DAST (OWASP ZAP, Burp) in staging environment weekly with findings tracked.

Business Value

Catches performance regressions 100% of the time before production and reduces visual bugs by 90% through automated regression testing Achieving >= 70% apps DAST scanned weekly is a key milestone toward this goal.

Context

This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting CFR, LT improvements.

Success Criteria

Target

>= 70% apps DAST scanned weekly

Measurement

DAST scan execution rate + coverage

Evidence

DAST scan configs
Scan reports
Vulnerability remediation tracking

In Practice

Real-World Implementation

Teams run OWASP ZAP against staging URLs weekly, scan for injection, XSS, CSRF, auth issues. Create tickets for MEDIUM+ findings.

Concrete Example

Weekly DAST scan of app.staging.company.com: Found MEDIUM XSS in search parameter. Ticket created, fixed in 3 days, rescan clean.

Implementation Guide

Implementation Steps

Follow the measurement approach: DAST scan execution rate + coverage

For detailed step-by-step guidance, refer to the Advanced Testing & Performance Validation Implementation Kit.

Resources

Related Capabilities

Complementary

Often adopted together, from the Advanced Testing & Performance Validation epic

Contract Testing Between Services

Performance Testing in CI

Mutation Testing for Critical Code

Visual Regression Testing

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

What & Why

Definition

>= 70% of web apps scanned with DAST (OWASP ZAP, Burp) in staging environment weekly with findings tracked.

Business Value

Context

This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting CFR, LT improvements.

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

Dynamic Application Security Testing

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Target

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?

Dynamic Application Security Testing

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Target

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?