Interesting article by Sandesh Mysore Anand as usual.
Couple of thoughts in my mind:
-
Nuclie is not a DAST replacement. it is a good tool but its users need to be mindful of its usage. Even for regression checking once you cross a threshold it will pose same bottleneck as DAST does.
-
I was so much excited a few years back when IAST was making waves but then it died down. the current throw it all approach that DAST performs is very time consuming and we need better approaches to find bugs especially when its the org themselves doing tests, BlackBox approach was a good one till it was unknowns but when you know the code leveraging IAST style instrumentation could be a way forward for DAST to speed up. Recently saw some companies starting to look this direction for atleast the CI CD pipeline view.
-
DAST even after that might not become a full CI / CD citizen but ya : once in a week test suite or once in a day at night sneakily run it kind of self satisfaction is what pentest world might endup compromising with.
#pipeline #DAST #APPSEC #infosec