Login

r/devsecops

▲ 5 r/devsecops

Authenticated Multi-Privilege DAST with OWASP ZAP in CI/CD in Gitlab

Most DAST guides stop at unauthenticated baseline scans. The real attack surface sits behind the login page, and there is surprisingly little documentation on how to implement authenticated multi-privilege scanning with ZAP in CI/CD. I wrote a walkthrough covering browser-based authentication, JWT and cookie session management, and role-isolated scanning in GitLab pipelines — tested against production applications. Hope it saves someone the debugging time.
Link: https://medium.com/@mouhamed.yeslem.kh/authenticated-multi-privilege-dast-with-owasp-zap-in-ci-cd-in-gitlab-d300fdc94c43

If you found this useful, a share or a like goes a long way. Feedback is welcome.

reddit.com
u/Southern-Fox4879 — 11 hours ago
▲ 1 r/devsecops

How are people handling identity for AI agents in production right now?

Hey r/devsecops — I’ve been spending a lot of time recently looking at how teams are handling identity and access for AI agents, and I’m curious how this is playing out in real environments.

Full disclosure: I work in this space and was involved in a recent study with the Cloud Security Alliance looking at how 200+ orgs are approaching this. Sharing because some of the patterns felt… familiar.

A few things that stood out:

  • A lot of agents aren’t getting their own identity — they run under service accounts, workload identities, or even human creds
  • Access is often inherited rather than explicitly scoped for the agent
  • 68% of teams said they can’t clearly distinguish between actions taken by an agent vs a human
  • Ownership is kind of all over the place (security, eng, IT… sometimes no clear answer)

None of this is surprising on its own, but taken together it feels like the identity model starts to get stretched once agents are actually doing work across systems.

Curious how others are dealing with this:

  • Are you giving agents their own identities, or reusing existing ones?
  • How are you handling attribution when something goes wrong?
  • Who actually owns this in your org right now?

If useful, I can share the full write-up here: https://aembit.io/blog/introducing-the-identity-and-access-gaps-in-the-age-of-autonomous-ai-survey-report/

u/workloadIAMengineer — 5 hours ago
▲ 1 r/devsecops

Building AI-Empowered Vulnerability Scanner Tool for Cloud-Based Applications

Hi Everyone,

I'm working on a project where we need to build an AI-powered vulnerability scanner for a cloud-based application (but we'll demo it on a local cluster like Minikube or Docker).

I'd love to hear your suggestions , just something practical and well-designed

reddit.com
u/WinterSalt158 — 17 hours ago
Week