Skip to content

Dynamic Application Security Testing (DAST)

Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. Game Warden conducts Dynamic Application Security Testing (DAST) as part of the routine security screening of your application.

Artifacts from these testing regimes are crucial components of the Deployment Passport, the body of evidence provided to our government accrediting officials that facilitate a rapid risk determination for your application. These artifacts are included in the Deployment Passport as part of an assessment memorandum indicating “Meets/ Does Not Meet” OWASP Top 10 framework for both Static and Dynamic Application Testing.

DAST technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST solutions test only the exposed HTTP and HTML interfaces of Web-enabled applications; however, some solutions are designed specifically for non-Web protocol and data malformation.

DAST in the SSP

Conducting DAST scans is the responsibility of Second Front Systems; we conduct both un-authenticated and authenticated DAST scans using Tenable. Game Warden customers are responsible for remediating findings in accordance with the DAST Acceptable Baseline Criteria listed below. Second Front Systems will provide Game Warden customers results of DAST scans and will identify findings that need remediation if the finding represents a vulnerability under the OWASP Top 10 Exploits.

DAST artifacts are stored in the Game Warden application in the documents section.

DAST Scan Periodicity

DAST scans are required:

  • Prior to initial Certificate to Field
  • Prior to deploying any code changes
  • Prior to Certificate to Field Renewal

DAST Acceptable Baseline Criteria

DAST scanning provides a robust analysis of each application based on known exploits and vulnerabilities. 2F prioritizes findings in the the the OWASP Top 10 Exploits, which are categorized by severity and finding family. Findings must be addressed in accordance with below Acceptable Baseline Criteria timelines:

Severity Justification Timeline Mitigation/Remediation Timeline
Critical Pre-deployment Pre-deployment
High Pre-deployment Pre-deployment
Medium 10 days 60 days
Low 30 days 180 days
Info N/A N/A

Informational findings are for information purposes only, they will be provided to the customer but require no action.

Scan Prioritizations and Timeline


The application must be functional in development and accurately depict the architecture and code that will be submitted for CtF.

You must provision a user account for Second Front's test user.

  • Use this format: (company)

  • Ensure this user has basic permissions, not admin

There is an unauthenticated scan that will run and then the customer will need to add Second Front's test user, so that we can do an authenticated scan.

  • Scans take a full day to run, with more time factored for an additional web-based login process after P1.
  • Scans will be prioritized FIFO (First In, First Out)

Return to Help Center Home