SBN

SCA and SAST: What Do They Do and How Can They Help Developers Like You?

 

The “Sec” in DevSecOps introduces application security in an agile framework as part of a continuous development process, instead of as a secondary step to releasing software. 

While adding security checks throughout the software development process has many benefits such as decreasing the cost to fix a security issue, it introduces some challenges as well. In traditional software development, application developers and security teams are siloed into separate organizations in part due to the highly specialized knowledge technical security professionals maintain.

DevSecOps shares the responsibility of security with the application developer, who may not have this skill set. For this reason, it’s important to choose tools that provide this knowledge and identify vulnerabilities for developers. 

Two such types of tools are Software Composition Analysis (SCA) and Static Application Security Testing (SAST). Many articles attempt to pit these types of tools against each other in an SCA vs. SAST battle. In reality, they solve different pieces of the security problem. A well-positioned application development team should really have both solutions in place. Read on to find out why.

What these tools do

Static Application Security Testing (SAST)

SAST tools examine source code for insecure code patterns, often providing feedback in a developer’s IDE or version control system, such as with GitHub Pull Requests. 

SAST products are derived from static analysis tools, often known as linters, which have many uses outside security such as detecting style deviations and general programming errors in source code that may not be caught by a language compiler. Often these products will go beyond simply linting and attempt to help the developer prioritize insecure code issues that are the most important to address.

Software Composition Analysis (SCA)

SCA tools on the other hand detect the use of third-party (often open source) software (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Theresa Mammarella. Read the original post at: https://blog.sonatype.com/sca-and-sast-what-do-they-do-and-how-can-they-help-developers-like-you