Application Security Testing

All activities related to enabling scanning

Capabilities

Capabilities under the heading "Application Security Testing" include:

• Scanners
  1. Secret detection
  2. Dependency scanning
  3. Container scanning
  4. SAST + SAST-IaC
  5. API security testing
  6. DAST browser-based scanning
  7. Fuzz (both kinds)
• Scan Execution Policies
• Pipeline Execution Policies

Approaches

Note that there are three distinct ways to implement security scans

1. Direct CI/CD - Individual scanners in the CICD configuration for individual projects - perfect for ensuring operational integrity and generating some initial data so that workflow, triage, and remediation process development can begin.
2. CI/CD library - alongside other shared CICD configuration, wrappers for the scanner configurations - allows parameterized configuration to be shared among projects - best way to organize CICD configs in a large organization.
3. Scan Execution Policies - enforce scanning across a portfolio of projects with minimal adaptation. More complicated for DAST and API scanning. Doesn't support Fuzz scanning (?)

Third-party scanners

...