# How to identify and mitigate security vulnerabilities in software In DevSecOps, SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis), and MPT (Manual Penetration Testing) are [Software Security Methods](https://hackmd.io/@scis-esm/SSM) that complement each other by covering different aspects and stages of the software development lifecycle (SDLC), providing a comprehensive approach to application security. ### How They Complement Each Other - **SAST** is used early in the SDLC to analyze source code, byte code, or binaries for vulnerabilities without executing the program. It provides immediate feedback during coding, which helps developers fix issues proactively and reduces security technical debt[1][4]. - **DAST** tests running applications from the outside, simulating attacks to find vulnerabilities. It complements SAST by identifying vulnerabilities that are only apparent when the application is running, such as those related to deployment configuration and business logic[4][5]. - **SCA** focuses on identifying known vulnerabilities in open source components used within an application. It complements SAST by covering third-party code that SAST does not analyze, ensuring that these components do not introduce new vulnerabilities or licensing issues[3][6]. - **MPT** involves human testers who attempt to find and exploit vulnerabilities, complementing automated tools by catching complex vulnerabilities like authorization issues and business logic flaws that automated assessments may miss[1]. ### Integration in DevSecOps - **Early Detection**: By integrating SAST and SCA early in the development process, vulnerabilities can be detected and remediated before they become more costly and difficult to fix[6]. - **Continuous Feedback**: DAST can be moved earlier in the DevSecOps process to detect vulnerabilities in pre-production environments, providing continuous feedback and reducing remediation costs[5]. - **Comprehensive Coverage**: Using all four methods ensures that both the internal and external aspects of the application are tested, and that both proprietary and third-party code is secure[1][6]. - **Learning and Improvement**: By seeing how an attack may be exploited at runtime through DAST, developers can learn to think like an attacker and may be more motivated to fix findings from SAST scans[1]. - **Policy Compliance**: DAST assessments and reports can help organizations comply with various policies and regulations, which is essential in a DevSecOps environment[5]. - **Reduced False Positives/Negatives**: Manual penetration testing helps verify the findings from automated tools, reducing the rates of false positives and negatives[5]. ### Benefits of a Combined Approach - **Defense in Depth**: This strategy ensures that security is considered at every level of the application architecture, providing multiple layers of defense against attacks[1]. - **Faster Remediation**: Organizations that scan with both SAST and DAST are likely to remediate flaws quicker than using a single method[1]. - **Reduced Risk**: By covering more ground with different testing methods, the risk of vulnerabilities slipping through into production is minimized[1]. - **Cost Efficiency**: Catching and fixing vulnerabilities early in the SDLC is generally less expensive than addressing them after deployment[4]. In summary, SAST, DAST, SCA, and MPT each play a critical role in a DevSecOps environment. When used together, they provide a robust and layered approach to application security, ensuring that vulnerabilities are identified and remediated efficiently at every stage of the SDLC. Citations: [1] https://www.veracode.com/blog/managing-appsec/defense-depth-why-you-need-dast-sast-sca-and-pen-testing [2] https://fluidattacks.com/blog/differences-between-sast-sca-dast/ [3] https://www.techtarget.com/searchsecurity/tip/Understanding-3-key-automated-DevSecOps-tools [4] https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference.html [5] https://fluidattacks.com/product/dast/ [6] https://checkmarx.com/appsec-knowledge-hub/sast/2024-ultimate-sast-guide-cisos-appsecs-devops/ [7] https://www.reddit.com/r/devsecops/comments/159d4zd/security_tools_for_devsecops_toolchain/?rdt=59709 [8] https://devops.com/sast-dast-sca-whats-best-for-appsec-testing/