← ClaudeAtlas

dast-workflowlisted

Dynamic Application Security Testing workflow — OWASP ZAP automation (baseline/full/API scans), Burp Suite Professional playbooks, Burp Collaborator for out-of-band detection, auth-state orchestration, and CI integration with scope-safe active scanning.
roodlicht/accans-sec-skills · ★ 4 · AI & Automation · score 65
Install: claude install-skill roodlicht/accans-sec-skills
# DAST Workflow ## When to use DAST tests a running application from the outside. Where `sast-orchestrator` reads code, DAST sends HTTP requests and looks at response patterns. That covers runtime behaviour SAST doesn't see (auth flows, session handling, header config, reverse-proxy misconfig, DoS sensitivity). Activates on: - A request like "set up ZAP against our staging", "run a baseline scan", "review this Burp output", "how does the scanner log in", "DAST in CI". - A new deployable environment (staging, QA, security sandbox) that needs security testing before promotion to production. - A periodic scan against staging, or a pre-release regression run. - A handoff from `security-review` where runtime behaviour needs to be verified (e.g. are the security headers actually present in the response?). - Bug-bounty preparation: scan with DAST first to clear out the low-hanging fruit before paying hunters look at it. ### When NOT to use (handoff) - Static code analysis → `sast-orchestrator`. DAST doesn't see source. - Infrastructure (Terraform/K8s/Docker) → `iac-security` / `k8s-security` / `container-hardening`. - Pre-deploy threat model at design level → `threat-modeler`. - OWASP API Top 10 as the substantive framework → `api-security`. DAST tools cover API scans; this skill orchestrates, that one provides the substantive checklist. - Active offensive pentest with exploitation → `web-exploit-triage` + `payload-crafter` + `recon-agent`. DAST flags; pentest exploits. - Tria