Shift Left Security: DAST with Dastardly in CI/CD

Question

In today’s DevOps-driven world, speed and security often clash. CI/CD pipelines accelerate delivery, but vulnerabilities can slip through if security isn’t automated. Enter Dastardly, a free Dynamic Application Security Testing (DAST) tool by PortSwigger (creators of Burp Suite). Designed to integrate seamlessly into CI/CD workflows, Dastardly ensures your apps stay secure without slowing down development. Let’s explore why it’s a game-changer. Conclusion:

Secure your pipeline without breaking the bank..

What is Dastardly?

Dastardly performs automated security scans directly in your CI/CD pipeline, identifying critical vulnerabilities like:

• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Server Misconfigurations
• Insecure APIs

What is DAST?

DAST (Dynamic Application Security Testing) is a type of security testing that analyzes a running application to find vulnerabilities, typically in web applications. Unlike Static Application Security Testing (SAST), which analyzes source code, DAST tests applications in real-time, simulating an attacker's perspective.

Key Features of DAST:

• Black-box testing: It doesn't require access to source code.
• Focus on runtime vulnerabilities: Identifies issues like SQL injection, XSS (Cross-Site Scripting), and security misconfigurations.
• Automated scanning: Often used in CI/CD pipelines for continuous security testing.
• Language agnostic: Works on any web application regardless of the tech stack.

Dastardly by Burp is a lightweight DAST tool designed for CI/CD pipelines, helping teams catch security issues early with minimal setup.

How it works:

• Scans Web Apps/APIs: Tests running applications for flaws.
• CI/CD Integration: Runs scans during builds, failing pipelines if risks are detected.
• Simple Reporting: Generates actionable reports with vulnerability details.

Why Choose Dastardly Over Competitors?

Let's compare it to popular alternatives:

Tool: Dastardly
Cost: Free
Ease of use: Low-code setup
CI/CD Integration: Native (CLI/Jenkins)
Coverage: OWASP ZAP 10

Tool: Forfify
Cost: Paid/Enterprise
Ease of use: Moderate/Complex
CI/CD Integration: Native (Jenkins, Azure DevOps, etc.)
Coverage: SAST

Tool: OWASP ZAP
Cost: Free/Open-Source
Ease of use: Moderate
CI/CD Integration: Plugin
Coverage: Customizable

Tool: Snyk
Cost: Paid
Ease of use: Easy
CI/CD Integration: Native
Coverage: SAST/SCA/DAST

Tool: Veracode
Cost: Enterprise
Ease of use: Complex
CI/CD Integration: Partial
Coverage: Comprehensive

Why Dastardly Wins:

• Zero Cost: Ideal for startups and budget-conscious teams.
• Simplicity: Minimal configuration; no PhD in security needed.
• Pipeline-Friendly: Designed explicitly for CI/CD, unlike tools retrofitted for DevOps.

Integrating Dastardly with Jenkins

Here’s how to add Dastardly to your Jenkins pipeline in 4 steps:

1- Create Pipeline from Jenkins:

2- Add a Jenkins Build Step:

In your Jenkinsfile, add a stage:

pipeline {
agent any
stages {
    stage ("Docker Pull Dastardly from Burp Suite container image") {
        steps {
            sh 'docker pull public.ecr.aws/portswigger/dastardly:latest'
        }
    }
    stage ("Docker run Dastardly from Burp Suite Scan") {
        steps {
            cleanWs()
            sh '''
                docker run --user $(id -u) -v ${WORKSPACE}:${WORKSPACE}:rw \
                -e BURP_START_URL=https://example.com/ \
                -e BURP_REPORT_FILE_PATH=${WORKSPACE}/dastardly-report.xml \
                public.ecr.aws/portswigger/dastardly:latest
            '''
        }
    }
}
post {
    always {
        junit testResults: 'dastardly-report.xml', skipPublishingChecks: true
    }
  }
}

Remove --user $(id -u) if you are gonna test one time on PowerShell.

• Fail Pipeline on Risks:
  Configure Dastardly to exit with a non-zero code if vulnerabilities are found.

• View Reports:
  Archive the XML report in Jenkins to check the results.

Best Use Cases & Optimization Tips

Use Cases:

• Shift-Left Security: Catch vulnerabilities before production.
• API Testing: Secure REST/GraphQL endpoints in CI.
• Open Source Projects: No cost barriers for community-driven apps.

Optimization Tips:

1- Parallel Scans: Run Dastardly alongside unit tests to save time.

2- Baseline Scans: Start with a baseline to ignore known false positives.

3- Combine with SAST: Pair Dastardly (DAST) with Snyk or SonarQube (SAST) for full coverage.

4- Schedule Regular Scans: Use Jenkins cron triggers for nightly scans.

Final Thoughts

Dastardly bridges the gap between speed and security, offering a no-cost, no-fuss solution for CI/CD pipelines. While it may lack the depth of enterprise tools like Veracode, its simplicity and seamless Jenkins integration make it a must-try for teams prioritizing agility. Start with Dastardly to bake security into your DevOps recipe — before the next breach bakes you.

Ready to try? Download Dastardly at portswigger.net and secure your pipeline today.

Enjoyed this? Like ❤, share, and follow for more DevOps insights!