The security of technology, information and communication (ICT) is one of the tasks of government agencies X. The security of government ICT can be achieved by applying the principle of Security by Design. The Open Web Application Security Project (OWASP) publishes a list of potential vulnerability risks that are most common in web applications. Security tests can be carried out by performing a vulnerability assessment. The risk assessment is a series of measures to identify and analyze possible security gaps in the system of an organization or a company. Steps to look for vulnerabilities in the vulnerability assessment phase, starting with target discovery, scanning, results analysis, and reporting. The IAST approach (Interactive Application Security Testing) is used for security tests using a vulnerability assessment. When developing a vulnerability analysis system using the IAST approach, Jenkins tools, the ZAP-API, and SonarQube are used. The results of the vulnerability analysis are grouped based on the OWASP Top Ten 2017. Using the IAST approach, a total of 249 vulnerability risks were identified.