Secure web development should be more than just a pipe dream

Yes, Dastardly is completely free to use. There are no restrictions on how many applications you can scan or how many scans you can run.

No, you don't need to create an account or provide any billing details to use Dastardly. Just grab the container and go.

Dastardly can be up and running in your CI/CD pipeline in just two minutes. Follow our step-by-step guides to get started:

• TeamCity.

• Jenkins.

• GitHub Actions.

• Platform independent installation - run Dastardly anywhere you can run a container.

Dastardly uses a free version of the same browser-powered scanning engine used by Burp Suite Professional and Burp Suite Enterprise Edition, packaged in a way that makes it easier to integrate to your CI/CD pipelines and that gives you results in 10 minutes or less.

By default, Dastardly will fail your pipeline build should it find any vulnerabilities determined to have a severity level higher than INFO (LOW, MEDIUM or HIGH).

Dastardly reports its findings in JUnit XML format, which most CI tooling can render.

Where issues have been found, Dastardly brings you free, actionable advice from the Web Security Academy - enabling you to easily tweak your code.

The dynamic (DAST) security testing methodology used by Dastardly looks at an application from the outside in, just like an attacker. This means that DAST is far less prone to producing false positives than static (SAST) security testing methods, which look at an application's source code.

Dastardly can scan any deployed web app where you can run a container (e.g, your CI/CD pipeline).

Note that Dastardly cannot navigate login mechanisms. If your application uses authentication, you should consider disabling this functionality when scanning with Dastardly, or you might find that Burp Suite Enterprise Edition is right for you.

Dynamic application security testing (DAST) is different to static (SAST) testing because it looks at the target application in its deployed state, rather than simply looking at source code. This means that it doesn't matter what language you have written your application in. This enables it to detect vulnerabilities that SAST will not find.

DAST produces fewer false positives than SAST because it looks at an application from the outside in, just like an attacker. Fewer false positives can save you a great deal of time when investigating the results of your scans. You'll also be able to detect vulnerabilities that you would otherwise have missed.

If you are looking to scale your web application security practices, consider our full versions of Burp Suite. These enable you to:

• Find over 160 issues, including SQL injection, DOM-based XSS, client-side prototype pollution and HTTP request smuggling. Learn more about the full range of issues that Burp Scanner can check for.

• Configure your scans exactly as you need.

• Scan authenticated web applications.

We're keen to hear your thoughts on Dastardly; tell us what you think here.