Breach and Attack Simulation (ULTIMATE ALL)

  • Introduced in GitLab 15.11 as an Incubating feature.
  • Included in the Security/BAS.latest.gitlab-ci.yml in GitLab 16.0.

DISCLAIMER: Breach and Attack Simulation is a set of incubating features being developed by the Incubation Engineering Department and is subject to significant changes over time.

Breach and Attack Simulation (BAS) uses additional security testing techniques to assess the risk of detected vulnerabilities and prioritize the remediation of exploitable vulnerabilities.

For feedback, bug reports, and feature requests, see the feedback issue.

WARNING: Only run BAS scans against test servers. Testing attacker behavior can lead to modification or loss of data.

Extend Dynamic Application Security Testing (DAST)

You can simulate attacks with DAST to detect vulnerabilities. By default, DAST active checks match an expected response, or determine by response time whether a vulnerability was exploited.

To enable BAS extended DAST scanning for your application, use the dast_with_bas job defined in the GitLab BAS CI/CD template file. Updates to the template are provided with GitLab upgrades, allowing you to benefit from any improvements and additions.

  1. Include the appropriate CI/CD template:

    WARNING: The latest version of the template may include breaking changes. Use the stable template unless you need a feature provided only in the latest template.

    For more information about template versioning, see the CI/CD documentation.

  2. Choose one of the following options for running BAS extended DAST scans:

    • Enable a separate BAS extended DAST job

      • You're not using the latest DAST template yet.
      • Continue using a stable version of the DAST security analyzer image for DAST scans.
      • Create a duplicate dast_with_bas job which extends your existing DAST job configuration.
    • Extend an existing DAST job

      • You're already using the latest DAST template rather than the stable template.
      • Extend your existing DAST job to include the latest DAST security analyzer image tag from the Breach and Attack Simulation SEG.
  3. Setup a callback server to enable callback attacks.

Enable a separate BAS extended DAST job

To maintain a separate DAST job while testing the BAS extended DAST image:

  1. Add a dast stage to your GitLab CI/CD stages configuration.

      stages:
        - build
        - test
        - deploy
        - dast
  2. Set the DAST_WEBSITE CI/CD variable.

      dast_with_bas:
        variables:
          DAST_WEBSITE: http://yourapp

Extend an existing DAST job

To enable Breach and Attack Simulation features inside of an existing DAST job:

  1. Follow the steps in Create a DAST CI/CD job.

  2. Extend DAST to using the extends keyword to your DAST job's configuration:

    dast:
      extends: .dast_with_bas
  3. Disable the dast+job job included in the BAS template by setting DAST_BAS_DISABLED:

    variables:
      DAST_BAS_DISABLED: "true"

Enable callback attacks

DISCLAIMER: This page contains information related to upcoming products, features, and functionality. It is important to note that the information presented is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned on this page are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Perform Out-of-Band Application Security Testing (OAST) for certain active checks.

  1. Extend the .dast_with_bas_using_services job configuration using the extends keyword:

    dast:
      extends: .dast_with_bas_using_services
    
    dast_with_bas:
      extends:
        # NOTE: extends overwrites rather than merges so dast must be included in this list.
        - dast
        - .dast_with_bas_using_services
  2. Use a !reference tag to pull in the default callback service container in your services.

      services:
        # NOTE: services overwrites rather than merges so it must be referenced to merge.
        - !reference [.dast_with_bas_using_services, services]
        - name: $CI_REGISTRY_IMAGE
          alias: yourapp

You can also manually enable callback attacks by making sure to:

  1. Set the DAST_FF_ENABLE_BAS CI/CD variable to true.
  2. Enable both the application being tested and callback service container using services.
  3. Enable container-to-container networking making the callback service accessible in the job.
  4. Set DAST_BROWSER_CALLBACK to include Address:$YOUR_CALLBACK_URL key/value pair where the callback service is accessible to the Runner/DAST container.