A SaaS startup is maturing its DevSecOps program and wants to identify weaknesses earlier in the development process in order to reduce the average time to identify serverless application vulnerabilities and the costs associated with remediation. The startup began its early security testing efforts with DAST to cover public-facing application components and recently implemented a bug bounty program. Which of the following will BEST accomplish the company’s objectives? (Choose two.)
To identify weaknesses earlier in the development process and reduce remediation costs, employing Static Application Security Testing (SAST) and Software Composition Analysis (SCA) is crucial. SAST analyzes the source code for vulnerabilities before deployment, ensuring issues are caught early in the development phase. SCA, on the other hand, identifies and manages risks associated with third-party components and dependencies, which are prevalent in serverless applications. Together, these tools provide comprehensive early-stage security coverage.
SAST: Analyzes source code for vulnerabilities before deployment. SCA: Identifies and manages risks associated with third-party components.
IAST (Interactive Application Security Testing): IAST solutions can analyze applications during runtime and provide real-time feedback on potential vulnerabilities. By integrating IAST into the DevSecOps pipeline, the startup can identify security weaknesses earlier in the development process, allowing developers to address issues as they arise. IAST complements DAST by providing deeper insights into application behavior and vulnerabilities while reducing false positives. SCA (Software Composition Analysis): SCA tools help identify and manage open-source components and dependencies within applications. Since many serverless applications heavily rely on third-party libraries and frameworks, SCA can help detect vulnerabilities in these components early in the development lifecycle. By integrating SCA into the DevSecOps pipeline, the startup can proactively identify and remediate vulnerabilities related to third-party dependencies, reducing the risk of exploitation and associated remediation costs.
IAST is the same as DAST + SAST so best to use SAST with SCA
To identify weaknesses earlier in the development process for serverless application vulnerabilities and reduce costs associated with remediation, the startup should consider the following options: A. IAST (Interactive Application Security Testing): IAST solutions can provide real-time feedback during the development process by analyzing code and identifying vulnerabilities. Unlike DAST (Dynamic Application Security Testing), which tests the application from the outside, IAST works from within the application, making it well-suited for identifying vulnerabilities in serverless applications. C. SAST (Static Application Security Testing): SAST tools can analyze the source code and identify potential vulnerabilities before the application is even deployed. It can be integrated into the development pipeline, allowing developers to catch and remediate vulnerabilities early in the process. Both IAST and SAST can help identify weaknesses early in the development process, reducing the time to identify vulnerabilities and the associated remediation costs.
AD, they already have implemented DAST, so based in the bounty program they need to check the code (included in A...IAST=DAST+SAST) and also need SCA, this way have covered almost any bug reported.
CD, for the same reason I'm moving from A to C
I’d say C and D based on the following definitions. A – IAST: IAST identifies security vulnerabilities in running applications while providing developers with the relevant lines of code and contextual remediation advice. B – RASP : Runtime Application Self-Protection (RASP) is a tool that can detect attacks on applications as they occur. A RASP implementation can protect applications from malicious data and behavior by analyzing how the program behaves. If the application's behavior indicates something is wrong, RASP can help stop the threat. C – SAST: Static application security testing is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities.
D – SCA: Software composition analysis (SCA) is an automated process that identifies the open source software in a codebase. This analysis is performed to evaluate security, license compliance, and code quality. E – WAF: A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. F – CMS: A Content Management System (CMS) is a software platform that allows users to build and manage a website with limited technical knowledge and resources.
A. IAST (Interactive Application Security Testing) - IAST tools typically combine elements of both SAST and DAST and are designed to identify security vulnerabilities in applications as they are running, especially in real-time environments; C. SAST (Static Application Security Testing) - SAST analyzes the source code, bytecode, or binary code of applications for vulnerabilities without executing the code. By doing this analysis at the code level, SAST can identify vulnerabilities early in the SDLC.
Since this is for early in development, I'm going with IAST and SAST.
well... IAST=DAST+SAST, I'm actually going to go with SAST and SCA... oops lol