As a “nontech” attendee at Black Duck’s FLIGHT 2016 user conference, I had my work cut out for me keeping track of all the buzzwords and acronyms. However, after attending Mike Pittenger’s session, “Filling Your AppSec Toolbox,” I learned a lot about some of the most important application security testing tools in the world of application security—SAST, DAST, and open source security management (OSSM).
As the threat of cybercrime continues to rise, so does the importance of application security. Practices such as penetration testing, threat modeling, and other security methodologies have become go-to activities for protecting organizations against external cyber threats. In order to head off potential risks, developing code with security in mind has become a priority for companies large and small.
There are a wide variety of testing tools used to strengthen security throughout the software development life cycle (SDLC). The most widely implemented tools are static application security testing (SAST) and dynamic application security testing (DAST). Open source security management is less well known—but critically important. More on that in a bit.
When it comes to DAST, SAST, and OSSM, it can be hard to know which testing methodology works best. The truth is there is no clear winner, as each methodology works better on different classes of vulnerabilities. The more important question to ask is, When should I use these methodologies?
Here are the primary differences and uses for DAST, SAST, and OSSM I learned from attending the technical track at FLIGHT 2016.