Original Post: You do not need to do DAST in a pipeline to do DevSecOps
The content explains that using dynamic scanning tools in a CI/CD pipeline is not a necessity for practicing DevSecOps. The author reassures that effective DevSecOps can be achieved without automated dynamic analysis.
Dynamic analysis involves testing systems while they are running, either internally (IAST) or externally (DAST, manual testing). Benefits include assessing real-time behaviors and validating vulnerabilities, while disadvantages include lack of code visibility and potential complexity in dynamic testing types.
Penetration testing involves skilled experts using various tools to find and validate bugs. Other dynamic testing forms include performance, stress, and DDoS testing, highlighting the flexibility in dynamic security strategies.
Modern dynamic testing tools, especially for APIs, have advanced, offering features such as automated test generations and real-time monitoring. However, integrating these tools into DevSecOps should not slow down development pipelines or produce false positives.
The content lists alternatives to running automated DAST in CI/CD like monthly automated scans, focusing on static analysis, manual DAST for legacy apps, and more. Additionally, non-tooling activities like secure coding training, threat modeling, and architecture review are recommended for a comprehensive security strategy.
Ultimately, the focus should be on what best suits the organization’s needs, budget, and processes rather than following popular trends or vendor advice.
Go here to read the Original Post