Update nexus: fix conflicts and sync local changes
This commit is contained in:
Shen Wei
@@ -1,64 +1,64 @@
|
||||
# DAST (Dynamic Application Security Testing)
|
||||
|
||||
## Definition
|
||||
DAST tools simulate external attacks on applications to uncover vulnerabilities from an outsider's viewpoint. These tools are essential for identifying weaknesses that attackers could exploit.
|
||||
|
||||
## Aliases
|
||||
- Dynamic Application Security Testing
|
||||
- Black-box testing
|
||||
- Vulnerability scanning
|
||||
|
||||
## Characteristics
|
||||
- **运行时分析**:在应用运行时进行测试
|
||||
- **黑盒测试**:不了解内部代码结构
|
||||
- **测试/部署阶段适用**:在应用运行时进行测试
|
||||
- **模拟真实攻击**:从攻击者角度发现漏洞
|
||||
|
||||
## What DAST Detects
|
||||
- 认证和授权问题
|
||||
- API 安全漏洞
|
||||
- 配置错误
|
||||
- 会话管理问题
|
||||
- 业务逻辑漏洞
|
||||
- API 端点暴露
|
||||
|
||||
## Tools
|
||||
- OWASP ZAP (Zed Attack Proxy)
|
||||
- Burp Suite
|
||||
- Acunetix
|
||||
- Netsparker
|
||||
- AppScan
|
||||
|
||||
## Integration
|
||||
DAST 工具通常用于:
|
||||
- CI/CD 管道中的集成测试
|
||||
- 预发布安全扫描
|
||||
- 定期渗透测试
|
||||
- 生产环境监控
|
||||
|
||||
## Comparison with Other Testing Methods
|
||||
|
||||
| 维度 | SAST | DAST | IAST |
|
||||
|------|------|------|------|
|
||||
| **测试方式** | 白盒(静态) | 黑盒(动态) | 灰盒(运行时) |
|
||||
| **需要代码** | 是 | 否 | 部分 |
|
||||
| **误报率** | 中等 | 低 | 低 |
|
||||
| **检测范围** | 代码层 | 应用层 | 代码+应用层 |
|
||||
| **适用阶段** | 开发 | 测试/部署 | 测试 |
|
||||
|
||||
## Limitations
|
||||
- 无法定位具体代码行
|
||||
- 无法检测源代码级别的漏洞
|
||||
- 扫描速度相对较慢
|
||||
- 可能产生误报
|
||||
|
||||
## Related Concepts
|
||||
- [[DevSecOps]] — DAST 是其重要组件
|
||||
- [[SAST]] — 静态应用安全测试(白盒)
|
||||
- [[IAST]] — 交互式应用安全测试
|
||||
- [[SCA]] — 软件组成分析
|
||||
- [[Penetration-Testing]] — 渗透测试
|
||||
- [[Vulnerability-Scanning]] — 漏洞扫描
|
||||
|
||||
## Sources
|
||||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|
||||
# DAST (Dynamic Application Security Testing)
|
||||
|
||||
## Definition
|
||||
DAST tools simulate external attacks on applications to uncover vulnerabilities from an outsider's viewpoint. These tools are essential for identifying weaknesses that attackers could exploit.
|
||||
|
||||
## Aliases
|
||||
- Dynamic Application Security Testing
|
||||
- Black-box testing
|
||||
- Vulnerability scanning
|
||||
|
||||
## Characteristics
|
||||
- **运行时分析**:在应用运行时进行测试
|
||||
- **黑盒测试**:不了解内部代码结构
|
||||
- **测试/部署阶段适用**:在应用运行时进行测试
|
||||
- **模拟真实攻击**:从攻击者角度发现漏洞
|
||||
|
||||
## What DAST Detects
|
||||
- 认证和授权问题
|
||||
- API 安全漏洞
|
||||
- 配置错误
|
||||
- 会话管理问题
|
||||
- 业务逻辑漏洞
|
||||
- API 端点暴露
|
||||
|
||||
## Tools
|
||||
- OWASP ZAP (Zed Attack Proxy)
|
||||
- Burp Suite
|
||||
- Acunetix
|
||||
- Netsparker
|
||||
- AppScan
|
||||
|
||||
## Integration
|
||||
DAST 工具通常用于:
|
||||
- CI/CD 管道中的集成测试
|
||||
- 预发布安全扫描
|
||||
- 定期渗透测试
|
||||
- 生产环境监控
|
||||
|
||||
## Comparison with Other Testing Methods
|
||||
|
||||
| 维度 | SAST | DAST | IAST |
|
||||
|------|------|------|------|
|
||||
| **测试方式** | 白盒(静态) | 黑盒(动态) | 灰盒(运行时) |
|
||||
| **需要代码** | 是 | 否 | 部分 |
|
||||
| **误报率** | 中等 | 低 | 低 |
|
||||
| **检测范围** | 代码层 | 应用层 | 代码+应用层 |
|
||||
| **适用阶段** | 开发 | 测试/部署 | 测试 |
|
||||
|
||||
## Limitations
|
||||
- 无法定位具体代码行
|
||||
- 无法检测源代码级别的漏洞
|
||||
- 扫描速度相对较慢
|
||||
- 可能产生误报
|
||||
|
||||
## Related Concepts
|
||||
- [[DevSecOps]] — DAST 是其重要组件
|
||||
- [[SAST]] — 静态应用安全测试(白盒)
|
||||
- [[IAST]] — 交互式应用安全测试
|
||||
- [[SCA]] — 软件组成分析
|
||||
- [[Penetration-Testing]] — 渗透测试
|
||||
- [[Vulnerability-Scanning]] — 漏洞扫描
|
||||
|
||||
## Sources
|
||||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|
||||
|
||||
Reference in New Issue
Block a user