DevSecOps

DevSecOps - Addressing Security Challenges in a Fast Evolving Landscape White Paper

Software Security

SAST - Static Application Security Testing
DAST - Dynamic Application Security Testing

Feature	SAST (Static)	DAST (Dynamic)
Testing Approach	White-box (inside-out)	Black-box (outside-in)
How	Scan source code without executing	Simulate attacks by interacting with running
Visibility	Full access to source code/binaries	No access to source code needed
When it occurs	Early in the SDLC (coding/build)	Later in the SDLC (testing/prod)
Vulnerabilities	Code-level flaws (e.g., hardcoded secrets)	Runtime flaws (e.g., server configs)
Tools	SonarQube, FindSecurityBugs and Snyk Code	OWASP ZAP, Burp Suite, and StackHawk

DevSecOps

Software Security

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!