Hot Topics
Application Security Security Bloggers Network 
SBN

Your Guide to AppSec Tools: SAST or SCA?

by Alyssa Shames on April 16, 2020

The application security market is saturated with tools like DAST, SAST, IAST, and RASP – which can be overwhelming. Each of these tools play a specific security role within the SDLC, but are they really representative of AppSec risk or just different flavors of traditional methodologies? 

When it comes to reducing vulnerabilities within the SDLC and gaining an overall picture of risk, a question we are frequently asked is, “What’s the difference between SAST and SCA?” The short answer: they address completely different problem sets.

Static Application Security Testing (SAST) defined

SAST is a security testing tool that’s been around for over a decade and was developed when most code was proprietary and copy/pasting snippets was a huge problem. Its primary use case is reporting security and quality issues in proprietary, static source code (internally written). This is different from Dynamic Application Security Testing (DAST), which flags run-time issues.

Software Composition Analysis (SCA) defined

On the other hand, SCA is a newer technology solving a different problem – open source governance. SCA supports more modern development environments where software is procured by developers from an upstream supply chain. SCA tools scan applications to identify open source components, creating a software bill of materials (SBOM) and ultimately surface risk using metadata about overall component quality (vulnerabilities, licensing, architecture, etc.). It’s primary use case is compliance and developing dependency management workflows.

SAST vs. SCA – What’s the difference?

When comparing SAST and SCA, it comes down to what they are analyzing, and you can’t really compare the two. SAST analyzes proprietary code while SCA analyzes open source. 

  • Binaries + Source Files vs. Source code – SAST tools only analyze the source code/compiled code. This can prove problematic for a few reasons. SAST requires access to the source files, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Alyssa Shames. Read the original post at: https://blog.sonatype.com/your-guide-to-appsec-tools-sast-or-sca

Alyssa Shames , , , ,

Secure Guardrails