SAST? DAST? SCA?
What’s up with the acronyms in the security world? In this developer challenge, let’s get to know the types of security tools we often hear about: SAST, DAST, and SCA, their pros and cons, as well as when to implement them into the development cycle. Learn about the differences between SAST, DAST, and SCA in our blog post here:
Match the following statements to a type of security tool. Do these statements apply to SAST, DAST, or SCA?
- Also called “Static Analysis Security Testing”.
- Best if run towards the end of the development lifecycle, and ran in an environment close to the production environment.
- Often bundled with SAST tools and ideally run alongside SAST tools.
- Tests for publicly disclosed vulnerabilities in third-party components of an application.
- Runs an application and tests it for vulnerabilities that attackers can actually exploit. Can find exploitable vulnerabilities and runtime issues.
- Examines an application’s custom source code or binary to find vulnerabilities such as the OWASP top ten and information leaks.
- You need to pick a tool tailored for the language you use.
- Creates a list of third-party components your application uses and scans vulnerability databases for matching entries.
- Also called “Software Composition Analysis”.
- Also called “Dynamic Application Security Testing”.
- Best if run early and often, ideally with every pull request or significant code change.
- Submit your full name, email address, organization, along with your answer to this link: go.shiftleft.io/developer-challenger-07–2021 by July 31, 2021, 11:59 PM PT.
- Three correct submissions will be selected randomly to win a SnackMagic snack box. We will announce the winners by August 31, 2021.
- We will run developer challenges every month. At the end of the year, all developers who participate will be entered into a raffle for a special prize based on the number of challenges they participated in. (Each challenge submission gets one raffle ticket.)