Table of content
DevSecOps tools ensure that your code is free from coding errors and safeguarded against software security vulnerabilities at each phase of the software development life cycle. There are two commonly used DevSecOps tools: SAST and DAST.
Static Application Security Testing is the most commonly used scanning technique. Often referred to as “white box testing”, it consists of scans performed on source code to identify the maximum number of potential vulnerabilities, before the resulting artifact could be even built.
SAST is performed without actually executing the program, and it needs to be syntactically aware of the code and the program’s inner mechanisms: everything from language, dependencies, method calls, execution order has to be extensively scanned and compared against a database of known vulnerabilities.
When correctly implemented, it can protect against most of the OWASP TOP 10 web application vulnerabilities, such as memory leaks, cross-site scripting (XSS), SQL injection, authentication, and access control misconfigurations. It is common to find SAST tools directly baked in modern IDEs, or distributed as extensible plugins because the closer to source code it is, the shorter the feedback loop for developers and the easier it is to remediate.
This faculty explains why SAST is often praised by managers, and, because the tool needs to be very precisely tuned to the stack it is used on, why so many different solutions exist.Unfortunately, static analysis can also generate a very high number of false positives and has the reputation of quickly becoming a source of alert fatigue for developers.
Here are their advantages:
Dynamic Application Security Testing - also known as “black box” testing - doesn’t find vulnerabilities in source code like SAST. Instead, it finds vulnerabilities by employing fault injection techniques on an app. The idea is to test from outside, with no knowledge of the app internals similar to what Red teams or Pentesters are doing to test for breaches.
It can also cast a spotlight on runtime problems that can’t be identified by static analysis, like authentication and server configuration issues, as well as flaws visible only when a known user logs in. Because they try to mimic adversarial behavior, they are agnostic to the underlying used technologies.
Their popularity has been rising at the same pace as web applications, handling more sensitive data and extending the number of serving endpoints, that is to say, their attack surface.
Here are their advantages:
SAST and DAST are two complementary approaches but they can't always be enough to secure modern software. They are being updated with more flexible tools and innovative approaches to better fit modern DevSecOps: