Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 13 Apr 2021
GitLab / Secure Stage / 13 Apr 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Testing the user experience with DAST aggregate vulnerabilities

Description

A run-through of what the user experience might look like for a user when aggregated vulnerabilities is the default on DAST.

A

Hi, I'm cam, I'm a das engineer and I'm going to be taking you through the uh the current user experience for when we turn on aggregated vulnerabilities in desk. Now I've got this site that I'm testing it's just a really simple site. You can see. It's just got four pages. Basically do nothing and I have this project which basically just defines a single job, a desk job.

A

I go into the definition so that you can have a quick look and see uh you can see it's just testing that really simple site. I've got here.

A

uh It's excluded a few rules just for brevity, and uh I've run it once already, and it's come back with four vulnerabilities, because the x frame options header is not set on any of the pages page four page, three page, two page one.

A

Now, if we go ahead- and we dismiss some of these- maybe dismiss this one.

A

So we dismissed page four and if we go into page three, maybe we create a new issue.

A

Sounds pretty good.

A

And then back to the vulnerability report.

A

Cool there's, a new issue and page 4 has been dismissed now. What we're going to do is we're going to go and turn on aggregated vulnerabilities.

A

So I'm going to turn the feature flag on.

A

How to do.

A

It on the feature flag, page flag on now we're going to start a new merge request. Just so we can have a look at the merge request. Widget.

A

Cool.

A

And we just have to wait for the pipeline to run, should only take a few seconds. Well, hopefully, not too long in more than a few seconds.

A

Cool job succeeded very nice. If I just refresh smart request, widget sorry, this merge request. We can have a look at the merger, the security widget.

A

Security scanning is loading.

A

Detected one potential vulnerability and if we look at this, it has fixed.

A

For and for some reason, this new one is also dismissed.

A

I don't understand. What's going on there, uh it's picked what seems to be the first url page, one which wasn't one that we dismissed.

A

Earlier you can also see that this doesn't actually show all of the urls, so this is actually the grouped vulnerability finding, but it doesn't show that all the urls, yet it still shows url as if there is only one, I don't believe that's been built yet in rails.

A

uh Okay, if we merge this, let's just see what happens to our.

A

Vulnerability report.

A

So wait for pipeline again.

A

Apologies.

A

Actually, what I can show you in the meantime is that the pipeline security tab.

A

Oh, I found it no vulnerabilities, I assume that's because it was dismissed.

A

Well, that's probably incorrect. Oh heart, dismissed there we go yeah, okay, so it's found the vulnerability. That's grouped you can see, so it hasn't found four four vulnerabilities for each page. It's found one which covers all the pages. However, we do click on it and it does only show page one which is potentially incorrect.

A

um It's linked the issue and it's dismissed it okay, uh so this pipeline has succeeded, so it's been merged into master if we go and look at the vulnerability report now. uh The interesting thing is that.

A

It shows all of them as detected, and I assumed this one is the gripped one.

A

No.

A

ah But this is no longer detected.

A

Let's see if we can find the gripped one, it says the vulnerability is no longer detected detected status detected.

A

Page three.

A

So this has got the issue, so this is the original one we gave the issue to so this is also no longer detected, although I don't understand why that says detected, which means it must have actually tracked it along with page four but oh yeah. So this is the grouped one which is automatically recognized it is dismissed. I don't know how that happened, and here you can see the new the urls.

A

If you click on that actually goes to the site, which is really good.

A

Interesting um I'll show this anyway, uh love to hear what people think.