Sign Up Login
Resource Center  >  Blog

Aggregating SCA, SAST and DAST Vulnerability Results

Publication:
May 13, 2021
Author:
Oliver Moradov

DevOps looks to combine the culture, methodologies and tooling of both the software development and operations teams, so companies can deliver new application features at a much greater velocity. 

DevSecOps takes this a step further, integrating security into DevOps, shifting security testing left. Instead of developers being brought into the fold later in the process, developer focused security testing tools bridge the gap between engineering and security.

One of the key challenges when implementing DevSecOps is prioritizing which vulnerabilities need to be remediated first. This is especially true when using multiple Application & API security testing tools to provide full coverage.

Automation is key. Implementing application security testing into the CI/CD pipeline to detect and fix security vulnerabilities on each build, or every merge to master, delivers secure and compliant application changes rapidly, while running operations consistently with the automation.

It’s not a one size fits all, with different types of automated security testing tools required across the pipeline to ship secure applications and APIs, at speed. 

Identifying security vulnerabilities at various stages of the pipeline requires the integration of several tools. These include SCA (Software Composition Analysis), SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).

We previously discussed combining DAST with SCA from Checkmarx

Leveraging these tools is great, but aggregating the vulnerability findings can be a challenge. A ‘single pane of glass’ is often needed so that the engineering and security teams have the visibility they need. Indeed, combining SCA+SAST+DAST information can be very valuable for SIEM (Security Incident Event Management) correlation engines for example, where the vulnerability information can help in providing more accurate correlation and attack detection.

Example: Combining Checkmarx SAST & SCA and Bright’s DAST

Bright’s partner, Datastream, has integrated the Checkmarx SAST and SCA solutions and Bright’s DAST platform Bright, within their proprietary xDashy platform, where their clients across the financial, retail and e-commerce sectors are benefitting from this comprehensive testing and aggregated data.

Combining security testing on the code level (SAST), checking dependencies (SCA) whilst also being able to test the runtime application (DAST), delivers comprehensive security testing integrated across DevOps / CICD pipelines at multiple stages, into the hands of developers.

Our joint customers’ engineering and security teams get full visibility and can manage custom dashboards, define executive reports, metrics and KPIs that improve decision-making at both the executive and technical level, consolidating SAST, SCA and DAST results on a single screen. 

For example, SCA will identify security vulnerabilities in 3rd party dependencies, building the open source dependency trees for applications and mapping these against a database of known vulnerabilities. It then reports vulnerable open source that has been pulled into the application, to fix or patch accordingly.

Bright engine tests for vulnerabilities that come under the OWASP Top 10 and Mitre, leveraging thousands of payloads, to test both webapps and APIs. 

Bright is also the only DAST solution on the market that can scan for specific Business Logic Vulnerabilities, normally carried out by manual testing. 

Having these tests automated, as part of your development pipelines and included in your dashboard gives you the broadest picture of your cyber posture. Coupled with Bright’s automatic validation of every security finding, the DAST output delivers real time actionable results, with no false positives. 

If you are considering a DAST tool, be sure to read our blog on the Must-Have features of your DAST Tool.

Security teams can then understand the risk, prioritise remediation and coordinate with the engineering team accordingly.

Additionally, by combining the tools and aggregating the results, companies can establish a common risk identification framework through linking projects manually and by referencing vulnerabilities according to the CWE (Common Weakness Enumeration), Miter’s CVE and also categorized by the CVSS v3 score provided by Bright.

Engineering Security Testing Metrics

Being able to visualise and correlate data across projects, squads or teams is also invaluable. 

Bright has a comprehensive ‘Projects’ reporting functionality which can be used via the Bright app UI, or integrated with your SIEM or other reporting platform, as Datastream has integrated with their platform, xDashy. Users can filter the results by project, by execution date and compare the results over time, graphically presenting trends and showing a visualization of risk management. 

Having visibility of the most frequently recurring risks, or being able to drill down into which team or project is generating certain vulnerabilities, allows you to prioritise remediation as well as providing targeted training on secure coding.

This helps with capacity building for secure development as well as providing for analysis of the cost and time to remediate.

Whether you are looking at enhancing your current SAST and / or SCA scanning or just entering into the realm of security testing, using Bright’s DAST is really simple and can be used as a standalone scanner by the security team or integrated across your pipelines.

Whether testing your webapps or APIs (SOAP, REST, GraphQL), the results produced are organised in a developer friendly way and as a QA, can help establish a culture of security testing and let you champion security testing!

Go ahead and try it out! With our free account, you can get started today; get your account now – https://nexploit.app/signup

Related Articles:

Related topics

Dynamic Application Security Testing (DAST) is a crucial component in fortifying web applications against potential vulnerabilities. By taking a proactive stance, DAST systematically detects and addresses security flaws.

See more

By mapping Dynamic Application Security Testing (DAST) to the Payment Card Industry Data Security Standard (PCI DSS) requirements, organizations can

See more

What Is Mobile Application Security Testing?  Mobile application security testing is the process of assessing, analyzing, and evaluating the security

See more

Test Your Web App for 10,000+ Attacks

See Our Dynamic Application Security Testing (DAST) in Action

  • Find & fix vulnerabilities fast
  • Zero false positives
  • Developer friendly

and see how easy AppSec can be

Test Your Web App for 10,000+ Attacks

Integrate vulnerability testing into your DevOps pipeline. Find & fix vulnerabilities fast with zero false positives.
See Our Dynamic Application Security Testing (DAST) in Action
Testing variance Using Legacy Dast Using Dev-Centric Dast
% of orgs knowingly pushing vulnerable apps & APIs to prod 86% 50%
Time to remediate >Med vulns in prod 280 days <150 days
% of > Med vulns detected in CI, or earlier <5% ~55%
Dev time spent remediating vulns - Up to 60x faster
Happiness level of Engineering & AppSec teams - Significantly improved
Average cost of Data Breach (US) $7.86M $7.86M