{"id":19241,"date":"2022-11-04T09:45:29","date_gmt":"2022-11-04T08:45:29","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/?p=19241"},"modified":"2022-11-04T09:45:30","modified_gmt":"2022-11-04T08:45:30","slug":"automating-security-testing","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/","title":{"rendered":"Automating Security Testing with SCA, SAST and DAST"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-what-is-automated-security-testing\">What Is Automated Security Testing?&nbsp;<\/h2>\n\n\n\n<p>Security <strong>testing processes<\/strong> and tools help identify security weaknesses and vulnerabilities in applications and software. The goal is to find issues that can potentially allow threat actors to obtain unauthorized access or otherwise attack the tested system.\u00a0<\/p>\n\n\n\n<p>Automation helps minimize the amount of manual work spent on repetitive tasks, increase testing speed, and extend testing from a periodic process to a continuous one that provides consistent results.&nbsp;<\/p>\n\n\n\n<p>Automated security testing is more cost-effective than manual testing, helping run various tests to ensure the software and systems <strong>remain secure and free from critical vulnerabilities<\/strong> throughout the entire software development lifecycle (SDLC).\u00a0<\/p>\n\n\n\n<p>Automated security testing is especially useful for DevOps and <a href=\"https:\/\/www.codemotion.com\/magazine\/devops\/4-efficient-tactics-for-increased-devsecops-compliance\/\" target=\"_blank\" aria-label=\"DevSecOps  (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"ek-link\">DevSecOps <\/a>teams looking to integrate security <strong>testing into the SDLC without reducing productivity<\/strong>. These tools can run various tests, including penetration testing, source code analysis, security code review, and vulnerability scanning.<\/p>\n\n\n\n<p>I\u2019ll review three tools that are commonly used for security testing in a DevSecOps envirnoment &#8211; SCA, SAST, and DAST.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-automated-security-testing-with-sca\">Automated Security Testing with SCA\u00a0<\/h2>\n\n\n\n<p>Software composition analysis (SCA) tools help manage open source software components. SCA tools quickly identify, track, <strong>and analyze open source components in a project<\/strong>, including all related components, supporting libraries, and direct and indirect dependencies.\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/www.mend.io\/resources\/blog\/software-composition-analysis\/\">SCA tools<\/a> can identify software licenses, security vulnerabilities, potential exploits, and deprecated dependencies. At the end of the scanning process, the tool generates a bill of materials (BOM) that includes a complete inventory of the project\u2019s software assets.<\/p>\n\n\n\n<p>Here are notable benefits of SCA tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Build and deliver high-quality code using a proactive risk management approach.&nbsp;<\/li><li>Identify security vulnerabilities and risks early in the SDLC and select the most secure components upfront.&nbsp;<\/li><li>Minimize the number of security assessments by testing early on when first introducing third-party components and libraries into the application.<\/li><\/ul>\n\n\n\n<p><strong>How SAST works<\/strong><\/p>\n\n\n\n<p>Here is a breakdown of the SCA process:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Scanning<\/strong>\u2014SCA tools scan a codebase to create an inventory software bill of materials (SBOM) that includes all detected open source components and dependencies.<\/li><li><strong>Informing<\/strong>\u2014the tool records all identified components, specifying license information, the location of detection, and the component\u2019s version. The accuracy and extent of the information generated depend on the open source information database the tool uses to analyze the scan results.&nbsp;<\/li><li><strong>Detecting<\/strong>\u2014identify open source security vulnerabilities, such as those listed in the common <a href=\"https:\/\/www.cve.org\/About\/Overview\">vulnerabilities and exposures (CVE)<\/a> and <a href=\"https:\/\/www.hackerone.com\/vulnerability-management\/cwe-common-weakness-enumeration-why-it-important\">common weakness enumeration (CWE)<\/a> glossaries.<\/li><li><strong>Alerting<\/strong>\u2014the tool pushes alerts to notify the relevant stakeholders of detected vulnerabilities and potential license conflicts.&nbsp;<\/li><li><strong>Preventing<\/strong>\u2014advanced SCA tools compare open source components against predefined policies and automatically block an affected project from promotion into production or notify stakeholders to remediate rapidly.<\/li><li><strong>Integrating<\/strong>\u2014SCA tools can integrate with CI\/CD pipelines to automate scans of projects and new project versions with each commit.&nbsp;<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-automated-security-testing-with-sast\">Automated Security Testing with SAST\u00a0<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"450\" src=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2020\/08\/qa-tester-e1649768472591.png\" alt=\"Software Quality Assurance Analyst, automated testing\" class=\"wp-image-7576\" srcset=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2020\/08\/qa-tester-e1649768472591.png 800w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2020\/08\/qa-tester-e1649768472591-300x169.png 300w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2020\/08\/qa-tester-e1649768472591-768x432.png 768w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2020\/08\/qa-tester-e1649768472591-400x225.png 400w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>SCA, SAST and DAST are automated security testing processes.<\/figcaption><\/figure>\n\n\n\n<p>Static application security testing (SAST), also called static code analysis, is a process that <strong>identifies vulnerabilities by scanning applications<\/strong>. It analyzes patterns in byte code, source code, and binaries, as well as data and control flows in an application. SAST helps identify common vulnerabilities without running applications.<\/p>\n\n\n\n<p>SAST creates a model of the application\u2019s data flows and code and runs specified rules against this model to detect registered vulnerabilities. Organizations that create apps using different platforms, languages, and frameworks should implement these steps to ensure effective SAST:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Select the right SAST solution<\/strong>\u2014the tool must be compatible with the application\u2019s programming language and framework.<\/li><li><strong>Deploy the tool<\/strong>\u2014the organization must handle licensing requirements, set up access controls, and provision resources.&nbsp;<\/li><li><strong>Customize the solution\u2014<\/strong>the configurations should match business needs and minimize false positives.&nbsp;<\/li><li><strong>Prioritize and test applications\u2014<\/strong>high-risk apps should undergo scans first.<\/li><li><strong>Analyze the results\u2014<\/strong>this involves eliminating false positives after completing the tests and allowing the deployment team to remediate issues.<\/li><\/ul>\n\n\n\n<p>Proper training and oversight are essential to ensure that development teams use the SAST solution correctly. SAST tests should be an integral part of the development and deployment pipeline.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-automating-security-testing-with-dast\">Automating Security Testing with DAST&nbsp;<\/h2>\n\n\n\n<p>Dynamic application security testing (DAST), also called dynamic code analysis, is a process that identifies vulnerabilities in running applications. <a href=\"https:\/\/brightsec.com\/blog\/dast-dynamic-application-security-testing\/\">DAST scans applications<\/a> in compile-time and runtime to find vulnerabilities visible only in a running application.<\/p>\n\n\n\n<p>Teams implement DAST when an application advances past earlier life stages and enters into runtime or production. <strong>DAST tools typically test only exposed HTML and HTTP interfaces of web-enabled apps<\/strong>. However, some tools can test non-web protocols and data malformation, such as session initiation protocols (SIP) and remote procedure calls (RPC).<\/p>\n\n\n\n<p><strong>How DAST works<\/strong><\/p>\n\n\n\n<p>DAST is a black box technique performed externally to the application without any view into its architecture or source code. <strong>It involves using similar techniques to those a malicious actor would when attacking the tested application<\/strong>. For example, a DAST tool can use injection techniques like malware injection to detect SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities.<\/p>\n\n\n\n<p>DAST tools continuously scan web applications during and after development, crawling through the application before scanning it. Crawling the application enables the DAST tool to find all exposed inputs on pages in the tested application so it can test each one.&nbsp;<\/p>\n\n\n\n<p>Fully automated DAST tools can test the application after it is executed to identify and help resolve risks before they escalate to attacks. Once the tool discovers a vulnerability, it sends an automated alert to the team to remediate it.<\/p>\n\n\n\n<p><strong>When to use DAST<\/strong><\/p>\n\n\n\n<p>DAST can help test early and often in the SDLC. DevOps teams often use DAST to identify and fix issues, usually in conjunction with other testing techniques, as part of a comprehensive web security testing approach.&nbsp;<\/p>\n\n\n\n<p>DAST provides timely insight into how web applications behave in production. Additional forms of security testing techniques are required to gain more comprehensive visibility. <strong>DAST is typically combined with penetration testing<\/strong> (to get a real-world demonstration of how a malicious intruder might breach a web application) and static application security testing (SAST) (to find vulnerabilities in the source code earlier in the SDLC).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-automated-security-testing-with-container-scanning\">Automated Security Testing with Container Scanning\u00a0<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1-1024x576.jpg\" alt=\"testing your data science model\" class=\"wp-image-17651\" srcset=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1-1024x576.jpg 1024w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1-300x169.jpg 300w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1-768x432.jpg 768w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1-1536x864.jpg 1536w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1-896x504.jpg 896w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1-400x225.jpg 400w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/05\/app-test1.jpg 1919w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>DAST is a comprehensive web testing security approach.<\/figcaption><\/figure>\n\n\n\n<p>Most modern application development involves containers like Rkt or Docker. Containerized applications are easier to build because teams can package components with any underlying resources, middleware, libraries, or other dependencies.&nbsp;<\/p>\n\n\n\n<p>While this ability is useful, it is also a potential drawback of containers because the packaged components and dependencies can include security vulnerabilities. Containers group dependencies together so that operations teams can manage them with less effort, but teams can easily forget or overlook the vulnerabilities.&nbsp;<\/p>\n\n\n\n<p>Automated container scanning tools look for dependencies in containers to help reduce the vulnerability management effort\u2014they find and report components with vulnerabilities. <strong>These scanners can work on containers automatically and trigger a manual response when they detect an issue in a dependency.<\/strong> The security team can review and remediate dependencies and log issues for future reference.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-automated-vulnerability-scanning\">Automated Vulnerability Scanning<\/h2>\n\n\n\n<p>DAST, SAST, and SCA tools can protect most application components, but they don\u2019t cover all possible vulnerabilities. <strong>DAST can scan REST APIs and web UI systems<\/strong>, while container scanners can check containerized software, but some software doesn\u2019t fit into either category.\u00a0<\/p>\n\n\n\n<p>Vulnerability scanning can be useful for other types of software. The development team can use vulnerability scans to find security issues when deploying customized operating systems or virtual machines (VMs) to the cloud.&nbsp;<\/p>\n\n\n\n<p>Automating these scans makes it easier to manage configurations\u2014for example, by running a vulnerability scanner after each change to a deployed resource\u2019s configuration.&nbsp;<\/p>\n\n\n\n<p><strong>How Frequent Should Scanning Be?<\/strong><\/p>\n\n\n\n<p>Thousands of new vulnerabilities are discovered yearly, but attackers only need to exploit one vulnerability to breach the network. Unfortunately, vulnerability scans only provide information about the known risks at the time of each scan. <strong>It is important to maintain up-to-date vulnerability data<\/strong>, but continuous scanning can drain resources, generate false positives, and slow down the system.\u00a0<\/p>\n\n\n\n<p>Attacks can exploit new threats in between scans before the organization is aware of them. Thus, both external and internal vulnerability scans should be routine. Automated scans can run on a regular schedule (e.g., monthly). Several regulations require organizations in certain industries to perform more frequent vulnerability scans.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p>In this article, I explained how to use three categories of security tools to implement a robust security testing process:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>SCA<\/strong> &#8211; lets you automatically test if components in your software project and their dependencies have security weaknesses.<\/li><li><strong>SAST<\/strong> &#8211; lets you automatically test source code at every stage of the development lifecycle, and provide fast feedback to developers about security or code quality issues.<\/li><li><strong>DAST<\/strong> &#8211; lets you automatically test applications running in test, staging, or production environments.<\/li><\/ul>\n\n\n\n<p>I hope this will be helpful as you transition to a full DevSecOps work process and level up your application security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What Is Automated Security Testing?&nbsp; Security testing processes and tools help identify security weaknesses and vulnerabilities in applications and software. The goal is to find issues that can potentially allow threat actors to obtain unauthorized access or otherwise attack the tested system.\u00a0 Automation helps minimize the amount of manual work spent on repetitive tasks, increase&#8230; <a class=\"more-link\" href=\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\">Read more<\/a><\/p>\n","protected":false},"author":100,"featured_media":19244,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":6,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_uag_custom_page_level_css":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[3356,9885],"tags":[4359],"collections":[],"class_list":{"0":"post-19241","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-devops","8":"category-qa-testing","9":"tag-testing","10":"entry"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.9 (Yoast SEO v26.9) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Automating Security Testing with SCA, SAST and DAST - Codemotion<\/title>\n<meta name=\"description\" content=\"Automated security testing for software and applications is key for any DevOps team. Learn more about SCA, DAST, and SAST in this article.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Automating Security Testing with SCA, SAST and DAST\" \/>\n<meta property=\"og:description\" content=\"Automated security testing for software and applications is key for any DevOps team. Learn more about SCA, DAST, and SAST in this article.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\" \/>\n<meta property=\"og:site_name\" content=\"Codemotion Magazine\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Codemotion.Italy\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-04T08:45:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-04T08:45:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1448\" \/>\n\t<meta property=\"og:image:height\" content=\"724\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Gilad David Maayan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@gilad_maayan\" \/>\n<meta name=\"twitter:site\" content=\"@CodemotionIT\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Gilad David Maayan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\"},\"author\":{\"name\":\"Gilad David Maayan\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/b332cfa429cd83ccb5840d43315f28c5\"},\"headline\":\"Automating Security Testing with SCA, SAST and DAST\",\"datePublished\":\"2022-11-04T08:45:29+00:00\",\"dateModified\":\"2022-11-04T08:45:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\"},\"wordCount\":1496,\"publisher\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg\",\"keywords\":[\"Testing\"],\"articleSection\":[\"DevOps\",\"QA\/Testing\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\",\"name\":\"Automating Security Testing with SCA, SAST and DAST - Codemotion\",\"isPartOf\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg\",\"datePublished\":\"2022-11-04T08:45:29+00:00\",\"dateModified\":\"2022-11-04T08:45:30+00:00\",\"description\":\"Automated security testing for software and applications is key for any DevOps team. Learn more about SCA, DAST, and SAST in this article.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg\",\"contentUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg\",\"width\":1448,\"height\":724,\"caption\":\"Web Development flat design illustration, Creative banner with laptop and computer screen showing app coding and programming.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.codemotion.com\/magazine\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DevOps\",\"item\":\"https:\/\/www.codemotion.com\/magazine\/devops\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Automating Security Testing with SCA, SAST and DAST\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#website\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/\",\"name\":\"Codemotion Magazine\",\"description\":\"We code the future. Together\",\"publisher\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.codemotion.com\/magazine\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#organization\",\"name\":\"Codemotion\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png\",\"contentUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png\",\"width\":225,\"height\":225,\"caption\":\"Codemotion\"},\"image\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Codemotion.Italy\/\",\"https:\/\/x.com\/CodemotionIT\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/b332cfa429cd83ccb5840d43315f28c5\",\"name\":\"Gilad David Maayan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/aa7da1b7504794509c4f9347d4e7ea17f0b9ae2a84233ec171434f7c8511daf7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/aa7da1b7504794509c4f9347d4e7ea17f0b9ae2a84233ec171434f7c8511daf7?s=96&d=mm&r=g\",\"caption\":\"Gilad David Maayan\"},\"description\":\"Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/giladdavidmaayan\/\",\"https:\/\/x.com\/gilad_maayan\"],\"url\":\"https:\/\/www.codemotion.com\/magazine\/author\/gilad-david-maayan\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Automating Security Testing with SCA, SAST and DAST - Codemotion","description":"Automated security testing for software and applications is key for any DevOps team. Learn more about SCA, DAST, and SAST in this article.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/","og_locale":"en_US","og_type":"article","og_title":"Automating Security Testing with SCA, SAST and DAST","og_description":"Automated security testing for software and applications is key for any DevOps team. Learn more about SCA, DAST, and SAST in this article.","og_url":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/","og_site_name":"Codemotion Magazine","article_publisher":"https:\/\/www.facebook.com\/Codemotion.Italy\/","article_published_time":"2022-11-04T08:45:29+00:00","article_modified_time":"2022-11-04T08:45:30+00:00","og_image":[{"width":1448,"height":724,"url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg","type":"image\/jpeg"}],"author":"Gilad David Maayan","twitter_card":"summary_large_image","twitter_creator":"@gilad_maayan","twitter_site":"@CodemotionIT","twitter_misc":{"Written by":"Gilad David Maayan","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#article","isPartOf":{"@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/"},"author":{"name":"Gilad David Maayan","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/b332cfa429cd83ccb5840d43315f28c5"},"headline":"Automating Security Testing with SCA, SAST and DAST","datePublished":"2022-11-04T08:45:29+00:00","dateModified":"2022-11-04T08:45:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/"},"wordCount":1496,"publisher":{"@id":"https:\/\/www.codemotion.com\/magazine\/#organization"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg","keywords":["Testing"],"articleSection":["DevOps","QA\/Testing"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/","url":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/","name":"Automating Security Testing with SCA, SAST and DAST - Codemotion","isPartOf":{"@id":"https:\/\/www.codemotion.com\/magazine\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg","datePublished":"2022-11-04T08:45:29+00:00","dateModified":"2022-11-04T08:45:30+00:00","description":"Automated security testing for software and applications is key for any DevOps team. Learn more about SCA, DAST, and SAST in this article.","breadcrumb":{"@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#primaryimage","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg","width":1448,"height":724,"caption":"Web Development flat design illustration, Creative banner with laptop and computer screen showing app coding and programming."},{"@type":"BreadcrumbList","@id":"https:\/\/www.codemotion.com\/magazine\/devops\/automating-security-testing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.codemotion.com\/magazine\/"},{"@type":"ListItem","position":2,"name":"DevOps","item":"https:\/\/www.codemotion.com\/magazine\/devops\/"},{"@type":"ListItem","position":3,"name":"Automating Security Testing with SCA, SAST and DAST"}]},{"@type":"WebSite","@id":"https:\/\/www.codemotion.com\/magazine\/#website","url":"https:\/\/www.codemotion.com\/magazine\/","name":"Codemotion Magazine","description":"We code the future. Together","publisher":{"@id":"https:\/\/www.codemotion.com\/magazine\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.codemotion.com\/magazine\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.codemotion.com\/magazine\/#organization","name":"Codemotion","url":"https:\/\/www.codemotion.com\/magazine\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png","width":225,"height":225,"caption":"Codemotion"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Codemotion.Italy\/","https:\/\/x.com\/CodemotionIT"]},{"@type":"Person","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/b332cfa429cd83ccb5840d43315f28c5","name":"Gilad David Maayan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/aa7da1b7504794509c4f9347d4e7ea17f0b9ae2a84233ec171434f7c8511daf7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/aa7da1b7504794509c4f9347d4e7ea17f0b9ae2a84233ec171434f7c8511daf7?s=96&d=mm&r=g","caption":"Gilad David Maayan"},"description":"Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.","sameAs":["https:\/\/www.linkedin.com\/in\/giladdavidmaayan\/","https:\/\/x.com\/gilad_maayan"],"url":"https:\/\/www.codemotion.com\/magazine\/author\/gilad-david-maayan\/"}]}},"featured_image_src":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-600x400.jpg","featured_image_src_square":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-600x600.jpg","author_info":{"display_name":"Gilad David Maayan","author_link":"https:\/\/www.codemotion.com\/magazine\/author\/gilad-david-maayan\/"},"uagb_featured_image_src":{"full":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg",1448,724,false],"thumbnail":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-150x150.jpg",150,150,true],"medium":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-300x150.jpg",300,150,true],"medium_large":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-768x384.jpg",768,384,true],"large":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-1024x512.jpg",1024,512,true],"1536x1536":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg",1448,724,false],"2048x2048":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg",1448,724,false],"small-home-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591.jpg",100,50,false],"sidebar-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-180x128.jpg",180,128,true],"genesis-singular-images":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-896x504.jpg",896,504,true],"archive-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-400x225.jpg",400,225,true],"gb-block-post-grid-landscape":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-600x400.jpg",600,400,true],"gb-block-post-grid-square":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/11\/iStock-1258130591-600x600.jpg",600,600,true]},"uagb_author_info":{"display_name":"Gilad David Maayan","author_link":"https:\/\/www.codemotion.com\/magazine\/author\/gilad-david-maayan\/"},"uagb_comment_info":0,"uagb_excerpt":"What Is Automated Security Testing?&nbsp; Security testing processes and tools help identify security weaknesses and vulnerabilities in applications and software. The goal is to find issues that can potentially allow threat actors to obtain unauthorized access or otherwise attack the tested system.\u00a0 Automation helps minimize the amount of manual work spent on repetitive tasks, increase&#8230;&hellip;","lang":"en","_links":{"self":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/19241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/users\/100"}],"replies":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/comments?post=19241"}],"version-history":[{"count":4,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/19241\/revisions"}],"predecessor-version":[{"id":19249,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/19241\/revisions\/19249"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/media\/19244"}],"wp:attachment":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/media?parent=19241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/categories?post=19241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/tags?post=19241"},{"taxonomy":"collections","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/collections?post=19241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}