Security is no longer a siloed team with sole ownership of security testing – security testing is increasingly shifting left. Instead of developers being brought into the fold later in the process, developer focused security testing tools are bridging the gap between engineering and security.
Automation is key, with those implementing application security testing into their CI/CD pipeline to detect and fix security vulnerabilities on each build or every merge to master, seeing a considerable benefit.
It’s not a one size fits all, with different types of automated security testing tools required across your pipeline to ship secure applications and APIs, at speed.
Software Composition Analysis (SCA) and developer-centric DAST enable this and is easily achievable with Snyk and Bright, respectively.
How does developer focused DAST augment SCA and make you more secure?
Software Composition Analysis (SCA)
SCA is a widely used form of developer application security testing, with Snyk being amongst the leaders in the field. SCA identifies security vulnerabilities in your 3rd party dependencies, by building the open source dependency trees for your applications and mapping these against a database of known vulnerabilities. It then reports vulnerable open source that has been pulled into your application, to fix or patch accordingly.
The use of open source has grown dramatically over the past few years, with flaws in open source dependencies being more prevalent than ever.
For any organisation using open source, SCA like Snyk’s should definitely be used to achieve a degree of security, but is this enough?
Dynamic Application Security Testing (DAST)
Not all developers are familiar with DAST, which is not surprising. Historically DAST solutions were built for security teams, not developers, and run either by the internal security team or outsourced testing firms on production applications.
With DevSecOps, these tests need to be conducted much earlier in the development process to get a feedback loop to the developers.
While SCA looks at your source code and dependencies, Bright’s innovative developer-focussed DAST enables developers to detect and fix security bugs that they have introduced – the custom (or 1st party) code. This is done as part of the developer’s workflow or as part of their CI/CD pipeline.
With Bright, an automated DAST scan can be triggered on every build / commit or PR, to test your runtime applications and underlying APIs (whether REST, SOAP, or GraphQL), detecting vulnerabilities like SQL Injection and Cross-Site Scripting (XSS), for example.
Scans that last minutes and not hours keep up with your rapid release cycles and are not a bottleneck, maintaining DevOps speed.
Having that direct feedback loop to developers means you can fix early and often. Bright’s plug and play integrations with your pipeline are seamless – developers can stay in their environment with Bright’s CLI, as well as integrating with the likes of CircleCI, Jenkins, JFrog, AzureDevOps, JIRA and more.
Whie false positives are notoriously an issue with DAST tools, Bright’s innovative engine automatically validates every finding…no need for manual validation checks, no delays, and no builds failing for no reason!
New and recurring issues are identified and flagged as such, so focus and prioritisation of remediation is facilitated.
These features mean that there is less of a reliance on manual testing and enables security testing to be placed in the hands of developers.
So…which should you focus on and why?
Snyk & Bright – Holistic Developer-Centric AppSec Testing
To be secure by design and ensure you are shipping secure applications and APIs to production, SCA like Snyk’s, and Bright’s automated DAST should be used in conjunction.
Snyk’s SCA gets you visibility of your open source vulnerabilities that may underpin your applications, that the creative features are built on top of.
Bright’s innovative DAST lets you very easily detect security vulnerabilities across your applications and APIs. Test every build and get results you can trust, with automatically validated results free from false positives and developer friendly remediation advice.
By deploying and leveraging both tools, you are covering all your bases, to find a broader range of vulnerabilities faster and earlier, to fix them…faster and earlier!
The question is not whether you should be using SCA or DAST, but how and when you can start to use them together across your pipelines…the answer is, very easily (see below)!
Get started today
New to Bright and/or Snyk? Try us both for free to start testing for vulnerabilities in your applications today
Sign up for a FREE Bright account here – follow our quick step wizard and be up and scanning in minutes!
Try out Snyk for free here too!
You can learn more about Bright, all our integrations and more on our knowledge base