☁️
DevSecOps
  • DevSecOps
  • Case Study
  • The Big Picture
  • Checklist
  • 1. DevSecOps-The Big Picture
    • Understanding DevSecOps Concepts
      • DevSecOps Concept
      • DevSecOps Manifesto
      • What problem do DevSecOps solve?
      • Security as Code
      • CI/CD Pipeline Assurance
    • Identifying the Benefits of DevSecOps
      • Where is DevSecOps Appropriate?
      • Benefits of DevSecOps
      • Roles and Responsibilities
    • Designing DevSecOps for Plan, Code, and Build SDLC Phases
      • Threat Modeling - PLAN
      • Secure Code Standards
      • SAST and SCA - CODE
      • Vulnerability Scanning - BUILD
    • Designing DevSecOps for Test, Release, and Operate SDLC Phases
      • DevSecOps in the TEST Phase
      • DevSecOps in the DEPLOY Phase
      • DevSecOps in the OPERATE Phase
    • Common DevSecOps Myths
  • 2. Approaching Automated Security Testing in DevSecOps
    • Understanding Automated Security Testing
      • What Is Automated Security Testing?
      • Types of Security Testing
      • Manual vs. Automated Testing
    • Differentiating the Pros and Cons of Automated Security Testing
    • Understanding What and Where to Test during Automated Security Testing
    • Continuing
Powered by GitBook
On this page
  1. 1. DevSecOps-The Big Picture
  2. Designing DevSecOps for Plan, Code, and Build SDLC Phases

SAST and SCA - CODE

Now let's move on to the coding section of the CI/CD life cycle.

Static Application Security Testing (SAST) - Examines source code to identify weaknesses that can lead to security vulnerabilities. Think of it as a source code review and testing off the source code itself.

Software Composition Analysis (SCA) is quite different. This is a process that looks at the open-source components that make up your software and checks all of these components against known vulnerabilities.

⭕ Features of SAST

▪ Reads source code

▪ Language-specific scanner

▪ False positives

▪ Fast and automated

▪ Finds weaknesses early

NIST list of source code security analyzers

https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

PreviousSecure Code StandardsNextVulnerability Scanning - BUILD

Last updated 3 years ago