On-premise setup

Planning DAST-One (D1) setup in your infrastrusture:

Environment
D1 package
Configure D1

plus -- options marked with this tag are not mandatory for evaluation/test-driving but strongly recommended for production use.
We would consult you on such options while integrating D1 into your environment, on demand.

1. Environment

System requirements

Sizing depends on number of parallel scans planned. Note a single scan-task forks 2 scanner processes, and DAST-mode takes more resources (mostly RAM) than Fuzzing-mode.

No. of parallel scans	vCPU	RAM, GB
1 (min)	1	4
3 (default, recommended)	6	14
$n$	$2 n + ⌈ \frac{1}{2} n ⌉$	$7 n$

For HDD/SSD space planning, consider these:

docker images | egrep '(dast|d1)\.' gives

txt

d1.onprem.yard  ...  193MB    \  i.e. ~250МБ
d1.onprem.rtr   ...  127MB    /  for D1-core
dast.asler      ...  221MB    \
dast.nukem      ...  823MB     | i.e. ~3.5GB
dast.zedan      ...  2.37GB   /  for scanners (may vary)

vuapi           ...  177MB    -- optional, vulnerable API, for demo

Depending on your interim scan-data retention policy, you shoud reserve from a hundred MB up to several GBs under APPDATA for every application/service scanned and tracked.

OS/software requirements:

Linux kernel 5.x+. We consider deb-flavor (Debian, Ubuntu, Astra) by default. We will (maybe) test and support D1 under rpm-flavor Linux environments little later.
Docker Engine v27, Docker Compose v2, obtained from its repository, please ref. to the manuals.

Docker config

D1 base/evaluation kit will go with the default configuration.

plus We recommend to set up the userns-remap facility. Do not forget proper sharing dockerd control interface (e.g. /var/run/docker_alt.sock) to D1 which should be able to run the scanners containers.

Network config

D1 base/evaluation kit in default configuration will be accessible via HTTP(80).

Configure docker networking to assign static IP to the rtr service and leverage the DNS to name your D1 instance (ne.dast.one supposed by default within the starter config and examples).

TLS plus

Issuing the SSL/TLS cert for the D1 web server is recommended. The key + cert-chain bundle should be stored or mounted to rtr under /etc/nginx/ssl/.

OAST plus

Out-of-Band (OOB) technique requires special DNS zone configuration.

IAM/IdM/SSO plus

rtr contains oauth2-proxy that should be configured against your IAM/IdM/SSO solution to make authorization available for D1 user actions (scan running, reports access control).

2. D1 package

The distribution includes docker images and requied configuration files. Please write us to discuss the details.

D1-core:

yard -- docker image: back-end, web-API
rtr -- docker image: router (web-server + oauth-proxy)

Default scanners (may vary):

zedan -- docker image based on ZAP
nukem -- docker image based on Nuclei
asler -- docker image based on Restler

Config files:

compose.yaml -- docker compose control
.env -- used by docker compose and yard

Load obtained images:

cd /where/you/placed/TXZ_and_SHA256/
sha256sum -c *.sha256 && for DIMG in \
  d1.onprem.rtr d1.onprem.yard dast.asler dast.nukem dast.zedan vuapi
do
  docker load -i ${DIMG}.txz
done

3. Configure D1

Please adjust D1 data path in the .env file

# D1 data location (interim, metadata, reports)
APPDATA = '/var/opt/d1'

plus If you have tuned DNS and took care of TLS, also adjust this

ORIGINS = 'http://ne.dast.one http://localhost http://127.0.0.1'

Running

cd /where/you/placed/compose_and_env/
docker compose up --remove-orphans --wait --force-recreate

Now you can proceed with using D1.

On-premise setup ​

1. Environment ​

System requirements ​

Docker config ​

Network config ​

TLS plus ​

OAST plus ​

IAM/IdM/SSO plus ​

2. D1 package ​

3. Configure D1 ​

Running ​