Dynamic Application Security Testing (DAST) remains one of the most complex and resource intensive phases of the Secure Software Development Life Cycle (SSDLC).
This talk presents a practical and highly accessible alternative: integrating DAST directly into existing web tests, enabling software quality teams to incorporate dynamic security validation without additional manual configuration or specialized tooling expertise.
This approach emerged from a clear need in modern organizations: a dynamic security testing method that quality teams can adopt seamlessly, using the tools and workflows they already rely on. By combining automated functional testin and the powerful analysis engine of ZAProxy, we eliminate the traditional friction of dynamic scanning, such as pre-mapping URLs, configuring authentication flows, or relying on crawler discovery.
Instead, web testing drives the application, and ZAProxy analyzes exactly what is executed.The key insight is simple: if teams already have robust functional web test coverage and a stable execution environment, then the initial configuration traditionally required for DAST becomes unnecessary.
By routing browser traffic through ZAProxy, the scanner automatically observes and analyzes all interactions produced by the functional tests. This strategy brings three major benefits. Analysis by functionality allows vulnerabilities to be traced to specific user flows, improving prioritization. Configuration simplicity reduces adoption barriers to a single proxy setting within browser capabilities.
Preventive value increases as DAST becomes part of the natural test process, offering early and continuous feedback during development.
The talk concludes by comparing this method with the conventional spider-based approach, evaluating both passive and active scanning modes. We will also demonstrate how this methodology integrates into a complete continuous integration pipeline using GitHub Actions, enabling automated, repeatable, and scalable dynamic security testing. The results show that this alternative approach is not only feasible but more efficient, actionable, and aligned with DevSecOps practices.
