To implement DevSecOps, organizations should consider a variety of application security testing (AST) tools to integrate into their CI/CD process. Some commonly used AST tools follow:
- Static application security testing (SAST)
- Software composition analysis (SCA)
- Interactive application security testing (IAST)
- Dynamic application security testing (DAST)
SAST tools scan proprietary code, or custom code, for coding errors and design flaws that could lead to exploitable weaknesses. SAST tools are used primarily during the code, build, and development phases of the SDLC. Coverity is one such SAST tool.
SCA tools such as Black Duck scan source code and binaries to identify known vulnerabilities in open source and third-party components. They also provide insight into security and license risks to accelerate prioritization and remediation efforts. In addition, they can be integrated seamlessly into a CI/CD process to continuously detect new open source vulnerabilities, from build integration to pre-production release.
IAST tools, working in the background during manual or automated functional tests, analyze web application runtime behavior. For example, the Seeker IAST tool uses instrumentation to observe application request/response interactions, behavior, and dataflow. It detects runtime vulnerabilities and automatically replays and tests the findings, providing detailed insights to developers down to the line of code where they occur. This enables developers to focus their time and effort on critical vulnerabilities.
DAST is an automated black box testing technology that mimics how a hacker would interact with your web application or API. It tests applications over a network connection and by examining the client-side rendering of the application, much like a pen tester would. DAST tools do not require access to your source code or customization to scan your stack. They interact with your website and find vulnerabilities with a low rate of false positives. For example, Tinfoil Security DAST tools identify vulnerabilities on web applications and APIs, including web-connected devices such as mobile back-end servers, IoT devices, and any RESTful or GraphQL APIs.