Skip to content

Dynamic Application Security Testing

Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. Game Warden conducts DAST as part of the routine security screening of your application.

DAST artifacts requirement

As part of our security screening, Second Front (2F) performs and includes DAST artifacts in your application’s Authorization Package. These artifacts are critical to provide government accrediting officials with evidence needed to assess and approve your application.

DAST artifacts are required in the following cases:

  • Initial CtF: Your application has not yet received a Certificate to Field (CtF).
  • Renewal CtF: Your application is undergoing CtF renewal.
  • Significant change: Major updates since the last CtF will require reauthorization and a new CtF approved by the government accrediting official.
  • Ad-hoc requests: To meet continuous monitoring requirements.

DAST Acceptable Baseline Criteria

2F uses a “Meets / Does Not Meet” framework for DAST evaluations:

  • Meets:

    • Zero Critical/High security-related findings mapped to CWE/OWASP in the final report (except confirmed false positives).
    • All Medium/Low security-related findings mapped to CWE/OWASP include justifications, mitigations, and remediation timelines.

  • Does Not Meet:

    • Any Critical/High security-related findings mapped to CWE/OWASP not remediated or documented as a false positive.
    • Any Medium/Low security-related findings mapped to CWE/OWASP missing a justification, mitigation, or remediation timeline.

DAST Acceptance Baseline Criteria severity table

Severity Requirement Remediation Timeline
Critical & High Zero findings: all Critical and High findings must be remediated or documented as confirmed false positives before generating the final DAST artifact for submission. Immediately, before DAST artifact submission.
Medium Include justification, mitigation, and a remediation timeline plan. Within 90 days of the scan date.
Low Include justification, mitigation, and a remediation timeline plan. Within 180 days of the scan date.

Authenticated scan prerequisites

For DoD deployments, if your application doesn’t automatically grant Keycloak users access to your IL2 DEV endpoint, provision a standard test account for Second Front:

  • Email format: {company}-test@secondfront.com (e.g., acme-test@secondfront.com)
  • Permissions: basic/user-level access only (no admin or elevated roles)

This account must be able to sign in and exercise core application functionality needed for DAST without administrative privileges.

Scan prioritization and timeline

An authenticated scan will be conducted against the application in a production-like environment, typically the staging environment.