DevSecOps entails the implementation of security on the CICD pipeline or DevOps process from the beginning to the end of the development process.
As software developers working in collaboration with AppSec engineers, there are key terminologies often used by security engineers to describe the type of security implementation being carried out during development. Security testing can be categorized into White-box or Black-box testing. Some of these terms include:
SAST (Static Application Testing): whitebox testing used identify security issues within the source code. It can automated or conducted manually using a checklist.
SCA (Software Composition Analysis) Tools: scans your code base to provide visibility into open source software components, including license compliance and security vulnerability. The scan enables us identify third-party libraries within our source code and license issues associated with that library and their potential security issues.
DAST (Dynamic Application Security Testing): blackbox security testing in which dynamic tests are performed on both web and mobile applications using automated tools.
IAST (Interactive Application Security Testing): it combines both SAST and DAST and attempts to overcome its limitations. It scans specific workflow of code in order to identify security issues.
IAC (Infrastructure as Code): IAC is the process of developing infrastructure testing these using code definition files and the process of code definition files in order to identify vulnerabilities is called IAC Security testing.
API Security: this is the process of identifying security issues within the API. This is also called security for microservices which is a subset of API. E.g an e-commerce website will have a user registration API and this API will have microservices to perform CRUD operations on the user.
If as a developer, you're currently not working with an application security engineer, to help detect and mitigate against security flaws in your code, kindly recommend to your organization because the security of your application is your responsibility.
Cheers!
