Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

DAST: What is Dynamic Security Testing

DAST (Dynamic Application Security Testing) is an analysis technique that tests running applications by simulating real attacks from the outside. Unlike SAST which analyzes source code, DAST interacts with the application via HTTP as an attacker would, looking for vulnerabilities like XSS, SQL injection, CSRF, misconfiguration, and broken authentication.

DAST is a black-box approach: it has no access to the source code and sees the application exactly as a malicious user would. This complements SAST because it finds vulnerabilities that only emerge at runtime, such as configuration issues, missing HTTP headers, and insecure authentication flows.

In this article, we will explore OWASP ZAP and Burp Suite, their integration into CI/CD pipelines, and strategies for implementing automated DAST without slowing down the release cycle.

What You'll Learn

How DAST works and when to use it in the pipeline
Configuring OWASP ZAP for automated scans
API security testing with DAST
Fuzzing and advanced testing techniques
DAST integration in the CI/CD pipeline
Triage and prioritization of results

How DAST Works

A DAST tool follows a structured process to analyze a web application:

Spider/Crawl: the tool navigates the application discovering all pages, forms, and API endpoints
Passive Scan: analyzes HTTP responses looking for sensitive information, missing headers, insecure cookies
Active Scan: sends malicious payloads (SQL injection, XSS payloads, path traversal) and analyzes responses to identify vulnerabilities
Reporting: generates a report with found vulnerabilities, categorized by severity with remediation instructions

When to Use DAST in the Pipeline

DAST requires a running application, so it typically sits in the later stages of the pipeline:

Staging environment: after deploying to staging, before promotion to production
Pull Request: on ephemeral environments (preview deployments) for each PR
Nightly scan: comprehensive scans scheduled every night on the staging environment
Post-deploy: lightweight scan after each production deploy (passive scan only)

DAST: Advantages and Limitations

Advantages: low false positive rate, finds real runtime vulnerabilities, doesn't require source code access, tests infrastructure configuration. Limitations: slower than SAST, requires a running application, doesn't cover all code, may not find vulnerabilities in complex business logic.

OWASP ZAP: The Open Source Standard

OWASP ZAP (Zed Attack Proxy) is the most widely used open source DAST tool in the world, maintained by the OWASP Foundation. It's free, extensible, and supports both manual use (as an interception proxy) and automated use (for CI/CD pipelines).

ZAP Baseline Scan in Docker

The simplest way to run an automated DAST scan is using ZAP's official Docker containers:


# Baseline scan: quick scan, passive checks only
docker run --rm -t ghcr.io/zaproxy/zaproxy:stable \
  zap-baseline.py \
  -t https://staging.myapp.com \
  -r zap-report.html \
  -J zap-report.json \
  -c zap-baseline.conf

# Full scan: complete scan with active scanning
docker run --rm -t ghcr.io/zaproxy/zaproxy:stable \
  zap-full-scan.py \
  -t https://staging.myapp.com \
  -r zap-full-report.html \
  -J zap-full-report.json

# API scan: specific for REST/GraphQL APIs
docker run --rm -t ghcr.io/zaproxy/zaproxy:stable \
  zap-api-scan.py \
  -t https://staging.myapp.com/api/openapi.json \
  -f openapi \
  -r zap-api-report.html

ZAP Configuration for CI/CD

To customize ZAP's behavior, a configuration file defines which rules to activate, severity thresholds, and exclusions:


# zap-baseline.conf
# Format: Rule_ID  WARN|IGNORE|FAIL
# Passive scan rules
10010   WARN    # Cookie No HttpOnly Flag
10011   WARN    # Cookie Without Secure Flag
10015   FAIL    # Incomplete or No Cache-control
10017   WARN    # Cross-Domain JavaScript Source
10020   FAIL    # X-Frame-Options Header
10021   FAIL    # X-Content-Type-Options Header
10038   FAIL    # Content Security Policy Header
10098   WARN    # Cross-Domain Misconfiguration
10202   WARN    # Absence of Anti-CSRF Tokens
90033   WARN    # Loosely Scoped Cookie

GitHub Actions Integration


# .github/workflows/dast.yml
name: DAST Security Scan
on:
  deployment_status:

jobs:
  dast:
    if: github.event.deployment_status.state == 'success'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: OWASP ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.12.0
        with:
          target: #123;{ github.event.deployment_status.target_url }}
          rules_file_name: "zap-baseline.conf"
          cmd_options: "-a -j"
          fail_action: true

      - name: Upload ZAP Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: zap-report
          path: report_html.html

API Security Testing

Modern APIs (REST, GraphQL, gRPC) require a specific DAST approach. The most common API vulnerabilities include:

Broken Object Level Authorization (BOLA): accessing other users' resources by modifying IDs
Broken Authentication: weak JWT tokens, missing rate limiting, non-invalidated sessions
Excessive Data Exposure: APIs returning more data than necessary
Mass Assignment: modifying unintended fields through the request body
Injection: SQL injection, NoSQL injection, command injection through API parameters

ZAP API Scan with OpenAPI

ZAP supports the OpenAPI specification to automatically generate tests for each endpoint:


# .github/workflows/api-dast.yml
name: API DAST Scan
on:
  workflow_dispatch:
  schedule:
    - cron: "0 2 * * 1-5"  # Every weeknight at 2:00 AM

jobs:
  api-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: ZAP API Scan
        uses: zaproxy/action-api-scan@v0.7.0
        with:
          target: "https://staging-api.myapp.com/openapi.json"
          format: openapi
          fail_action: true
          cmd_options: >
            -z "-config replacer.full_list(0).description=AuthHeader
            -config replacer.full_list(0).enabled=true
            -config replacer.full_list(0).matchtype=REQ_HEADER
            -config replacer.full_list(0).matchstr=Authorization
            -config replacer.full_list(0).replacement=Bearer TEST_TOKEN"

Fuzzing: Testing with Random Inputs

Fuzzing is a technique that sends random or semi-random inputs to the application to discover crashes, memory leaks, and unexpected behaviors. In the DAST context, fuzzing is particularly effective at finding:

Buffer overflow in fields with unvalidated length
Parsing errors with malformed input (corrupted JSON/XML/YAML)
Race conditions with concurrent requests
Denial of Service with large payloads

Types of Fuzzing

Mutation-based: modifies valid inputs (changes characters, adds payloads)
Generation-based: generates inputs from scratch based on the schema
Coverage-guided: uses coverage feedback to generate more effective inputs

Burp Suite: The Professional Tool

Burp Suite by PortSwigger is the most widely used commercial DAST tool by professional penetration testers. The Community edition is free but limited; the Professional edition offers automated scanner, advanced intruder, and team collaboration.

Burp Suite excels at manual and semi-automated analysis, where the tester can intercept requests, modify them, and replay with custom payloads. For CI/CD integration, Burp Suite Enterprise offers REST APIs to launch scheduled scans.

Managing DAST Results

DAST results require a structured triage process to avoid false positives and prioritize fixes:

      DAST Triage Process
      
          Severity
          Remediation SLA
          Action
        
          Critical
          24-48 hours
          Block deploy, immediate fix
        
          High
          7 days
          Block deploy, plan fix in current sprint
        
          Medium
          30 days
          Create ticket, plan in next sprint
        
          Low/Info
          90 days
          Backlog, periodic evaluation

DAST for Single Page Applications (SPA)

Single Page Applications (Angular, React, Vue) present specific challenges for DAST: content is generated dynamically via JavaScript, and the traditional crawler might not explore all pages.

ZAP's AJAX Spider: uses a headless browser to navigate SPAs and discover dynamic content
Authentication: configure ZAP to handle JWT-based or SPA session logins
Pre-seeding: provide ZAP with a list of URLs to test, extracted from the application build

DAST Best Practices

Dedicated environment: run DAST on an isolated staging environment, never directly in production
Realistic test data: populate the environment with realistic data to maximize coverage
Configured authentication: configure test credentials to explore authenticated areas
Incremental scans: baseline scans on PRs, full nightly scans
Correlation with SAST: correlate DAST findings with SAST findings to reduce duplicates
Quick feedback: immediately notify developers via Slack/Teams for critical findings

Conclusions

DAST is the essential complement to SAST in the DevSecOps strategy. While SAST finds vulnerabilities in source code, DAST verifies that the running application is actually secure, testing configurations, headers, authentication, and business flows.

In the next article, we'll explore SCA (Software Composition Analysis), the technique for analyzing open source dependencies and discovering known vulnerabilities in the libraries used by the project.

Severity	Remediation SLA	Action
Critical	24-48 hours	Block deploy, immediate fix
High	7 days	Block deploy, plan fix in current sprint
Medium	30 days	Create ticket, plan in next sprint
Low/Info	90 days	Backlog, periodic evaluation