<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Ambika Dobhal</title>
    <description>The latest articles on DEV Community by Ambika Dobhal (@devfendforge).</description>
    <link>https://dev.to/devfendforge</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3320242%2F369f438f-26b7-48cb-8bb4-59325da7f824.jpeg</url>
      <title>DEV Community: Ambika Dobhal</title>
      <link>https://dev.to/devfendforge</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/devfendforge"/>
    <language>en</language>
    <item>
      <title>I Built a Dashboard to Make Security Reports Easier to Read</title>
      <dc:creator>Ambika Dobhal</dc:creator>
      <pubDate>Wed, 15 Jul 2026 18:51:31 +0000</pubDate>
      <link>https://dev.to/devfendforge/i-built-a-dashboard-to-make-security-reports-easier-to-read-33e9</link>
      <guid>https://dev.to/devfendforge/i-built-a-dashboard-to-make-security-reports-easier-to-read-33e9</guid>
      <description>&lt;p&gt;****When working with security tools like "Trivy" and "npm" audit, I realized that their primary goal is to generate detailed reports that can be consumed by automation, CI/CD pipelines, and other security tools.&lt;/p&gt;

&lt;p&gt;For developers, however, there are times when you simply want a quick visual overview of a report.&lt;/p&gt;

&lt;p&gt;Questions like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;How many critical vulnerabilities are there?&lt;/li&gt;
&lt;li&gt;Which packages need immediate attention?&lt;/li&gt;
&lt;li&gt;Which vulnerabilities already have a fix available?&lt;/li&gt;
&lt;li&gt;What should I investigate first?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;can require navigating through a large JSON report or terminal output.&lt;/p&gt;

&lt;p&gt;Of course,Trivy already provides excellent terminal output, and there are powerful enterprise platforms that provide comprehensive security  dashboards.&lt;/p&gt;

&lt;p&gt;I wasn't trying to recreate those tools or copy their ideas.&lt;/p&gt;

&lt;p&gt;Instead, I wanted to explore a different question:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What if viewing a security report was as simple as opening a web page?&lt;/strong&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  The Idea
&lt;/h1&gt;

&lt;p&gt;My goal was to build a lightweight, browser-only application where developers can simply:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Drag &amp;amp; Drop a JSON report&lt;/li&gt;
&lt;li&gt;Paste a JSON report&lt;/li&gt;
&lt;li&gt;Click &lt;strong&gt;Analyze Report&lt;/strong&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That's it.&lt;/p&gt;

&lt;p&gt;No installation.&lt;br&gt;
No backend.&lt;br&gt;
No account.&lt;br&gt;
No database.&lt;/p&gt;

&lt;p&gt;Within seconds, the report is transformed into an interactive dashboard.&lt;/p&gt;

&lt;p&gt;The focus isn't on replacing existing security platforms—it's on providing a simple, fast, and privacy-friendly way to explore security reports.&lt;/p&gt;

&lt;h1&gt;
  
  
  Why Browser-Only?
&lt;/h1&gt;

&lt;p&gt;Security reports often contain sensitive information about a project.&lt;br&gt;
Uploading those reports to a remote server just to visualize them isn't always desirable.&lt;br&gt;
That's why I decided that &lt;strong&gt;every report should be processed locally inside the browser.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Nothing is uploaded.&lt;br&gt;
Nothing is stored.&lt;br&gt;
Your security report never leaves your machine.&lt;/p&gt;

&lt;h1&gt;
  
  
  Supporting Multiple Scanners
&lt;/h1&gt;

&lt;p&gt;One thing I learned very quickly is that different security scanners don't speak the same language.&lt;br&gt;
For example, Trivy and npm audit both report vulnerabilities, but their JSON structures are completely different.&lt;br&gt;
The UI shouldn't need to know which scanner generated the report.&lt;/p&gt;

&lt;p&gt;Instead of building separate interfaces for every scanner, I introduced a &lt;strong&gt;normalization layer&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Each supported report is converted into a common data model before it reaches the UI.&lt;/p&gt;

&lt;p&gt;Once normalized, the dashboard can display vulnerabilities using the same components regardless of the original scanner.&lt;/p&gt;

&lt;p&gt;Besides simplifying the frontend, this also makes supporting additional scanners much easier in the future.&lt;/p&gt;

&lt;h1&gt;
  
  
  What I Learned
&lt;/h1&gt;

&lt;p&gt;This project taught me much more than building a React interface.&lt;br&gt;
Some of the biggest lessons were:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Good dashboards are about &lt;strong&gt;information hierarchy&lt;/strong&gt;, not displaying every field available.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;A normalization layer makes supporting multiple data sources significantly easier.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Security tools and frontend applications solve different problems. Sometimes the challenge isn't generating data—it's presenting that data in a way that's easy to explore.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Processing reports entirely in the browser improves both privacy and user trust.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;A simple workflow often creates a better user experience than a feature-heavy interface.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>webdev</category>
      <category>security</category>
      <category>opensource</category>
      <category>react</category>
    </item>
    <item>
      <title>Beginner's Understanding of DAST</title>
      <dc:creator>Ambika Dobhal</dc:creator>
      <pubDate>Thu, 03 Jul 2025 18:20:55 +0000</pubDate>
      <link>https://dev.to/devfendforge/beginners-understanding-of-dast-159o</link>
      <guid>https://dev.to/devfendforge/beginners-understanding-of-dast-159o</guid>
      <description>&lt;h2&gt;
  
  
  Introduction:
&lt;/h2&gt;

&lt;p&gt;During my internship , I explored one of the most fascinating areas in web application security: DAST (Dynamic Application Security Testing). At first, I had no idea what it meant. But as I worked with tools like ZAP and learned about APIs, API security, and penetration testing, the bigger picture started to make sense.&lt;br&gt;
This article reflects my beginner-level understanding — it’s not perfect, but it’s an honest account of my learning journey. I hope it helps other interns and newcomers just starting out in security.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is an API?
&lt;/h2&gt;

&lt;p&gt;API :- (Application Programming Interface)&lt;br&gt;
API is a set of definitions and protocols that allow different software to communicate with each other.&lt;br&gt;
It is just like messengers that work between two applications for communication.&lt;/p&gt;

&lt;h2&gt;
  
  
  How APIs Work:-
&lt;/h2&gt;

&lt;p&gt;API works on request and response.&lt;br&gt;
Let’s say we are making a weather website, and I want to show the current weather. I will send a request to a weather API. Then, the API acts as a messenger and responds with the weather information. This gives data in JSON format.&lt;/p&gt;

&lt;h2&gt;
  
  
  REST APIs:-
&lt;/h2&gt;

&lt;p&gt;REST stands for Representational State Transfer. It communicates between different systems over the Internet. It uses HTTP methods like GET, PUT, and DELETE to define actions that can be performed on resources.&lt;br&gt;
The main feature of REST API is statelessness. Statelessness means that each request from a client to a server must contain all the information the server needs to fulfill the request. No session state is stored on the server.&lt;/p&gt;

&lt;h2&gt;
  
  
  OpenAPI Format:-
&lt;/h2&gt;

&lt;p&gt;This is a standard way to describe an API — what the API is doing, its response, and input.&lt;br&gt;
 In simple words, it's a written description of an API. It’s written in YAML and JSON format.&lt;br&gt;
It helps with tools like DAST scanners and API testers.&lt;/p&gt;

&lt;h2&gt;
  
  
  Postman Collections:-
&lt;/h2&gt;

&lt;p&gt;Postman is a tool for manually testing APIs.&lt;br&gt;
Postman collections are a group of saved API requests. We can also share them among team members.&lt;/p&gt;

&lt;h2&gt;
  
  
  Swagger:-
&lt;/h2&gt;

&lt;p&gt;Swagger is a tool that helps you to design, build, and document APIs.&lt;br&gt;
Swagger describes the structure of APIs.&lt;/p&gt;

&lt;h2&gt;
  
  
  API Security:-
&lt;/h2&gt;

&lt;p&gt;Protecting APIs from malicious attacks and unauthorized access.&lt;br&gt;
 Some common issues include Broken Authentication, Injection Attacks, etc.&lt;/p&gt;

&lt;h2&gt;
  
  
  API Discovery:-
&lt;/h2&gt;

&lt;p&gt;This process involves identifying and documenting all APIs in your applications, including public APIs, internal APIs, previously overlooked APIs, and third-party APIs.&lt;br&gt;
API discovery can even identify 50 APIs running in your system that you may not have been aware of.&lt;/p&gt;

&lt;h2&gt;
  
  
  DAST:- (Dynamic Application Security Testing)
&lt;/h2&gt;

&lt;p&gt;DAST is a method of testing an application's security while it’s running, but it has no knowledge of the application’s internal logic or access to its source code.&lt;br&gt;
It finds security vulnerabilities using simulated attacks like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;SQL Injections&lt;/li&gt;
&lt;li&gt;Cross-Site Scripting (XSS)&lt;/li&gt;
&lt;li&gt;Broken Authentication&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In simple words, a hacker might try to break into your app from the outside.&lt;br&gt;
It works like a hacker.&lt;/p&gt;

&lt;h2&gt;
  
  
  How DAST Works:-
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;First, run your web app (either locally or on a real website)&lt;/li&gt;
&lt;li&gt;The DAST tool sends requests to your website just like users or hackers do.&lt;/li&gt;
&lt;li&gt;It tries to:&lt;/li&gt;
&lt;li&gt;Enter weird inputs&lt;/li&gt;
&lt;li&gt;Access pages without login&lt;/li&gt;
&lt;li&gt;Log in without credentials.&lt;/li&gt;
&lt;li&gt;Send special links or scripts&lt;/li&gt;
&lt;li&gt;Put unexpected values in password fields.&lt;/li&gt;
&lt;li&gt;DAST watches your app's response.
If the app behaves in a way that shows weakness, DAST reports it.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Penetration Testing:-
&lt;/h2&gt;

&lt;p&gt;Also known as pen testing, it is a security test where professionals simulate real-world attacks on a system to find vulnerabilities.&lt;/p&gt;

&lt;p&gt;It follows these stages:&lt;br&gt;
Explore: Find the weak spot&lt;br&gt;
Attack: Attempt to exploit it&lt;br&gt;
Report: Create a report of the vulnerability&lt;/p&gt;

&lt;h2&gt;
  
  
  ZAP :-
&lt;/h2&gt;

&lt;p&gt;Zed Attack Proxy (ZAP) is a free, open-source DAST tool by OWASP (Open Web Application Security Project).&lt;/p&gt;

&lt;p&gt;It’s a penetration testing tool, mainly designed for testing web apps.&lt;br&gt;
 At its core, ZAP is known as a "man-in-the-middle proxy". It stands between the browser and web app, intercepting and inspecting the messages exchanged between them.&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>cybersecurity</category>
      <category>learning</category>
      <category>api</category>
    </item>
  </channel>
</rss>
