A lot of modern applications these days are composed of open source code, and this is a big challenge for organizations. They need to scan all these dependencies, along with their code, to effectively manage risk. Software Composition Analysis (SCA) can track all software licenses and dependencies that have reported vulnerabilities and potential exploits. Additionally, these tools generate a software bill of materials (SBOM) that can be used to track all the assets the software depends on. These tools should be integrated early in the SDLC, as and when new dependencies are brought in, or versions are upgraded.

Static Application Security Testing

Static Application Security Testing (SAST) tools scan the code that is proprietary to the organization. They evaluate the code against known programming patterns that introduce security risks. As part of the analysis, they also provide some improvement feedback on how to make the code more secure. Both SCA and SAST methods don’t require your code to be deployed for testing. It’s appropriate to run these scans early in the SDLC before the code is deployed into a test environment.

Dynamic Application Security Testing

As the name suggests, these tests are dynamic. They try to penetrate the security of an application and bring vulnerabilities to the surface. Commonly used in production environments, the feedback that’s received from such tools is valuable for continuous compliance of security policies and standards.

Dynamic Application Security Testing (DAST) tools are mostly used for web applications as they are frequently exposed to untrusted networks and users over the internet. As the application code evolves, these tools continue to scan them before the newly identified risks turn serious.

Securing infrastructure defined as code

Infrastructure as Code (IaC) is an approach to defining and managing your infrastructure components on-premises, or in the cloud, through configuration files. Commonly used tools and services in this space are Pulumi, CloudFormation, Terraform, and AWS CDK. Securing them requires the security team to define a set of rules that can then be codified and used for evaluating any change in these configurations. Open Policy Agent (OPA) is one such tool that allows you to validate your infrastructure code against custom-defined policies.

The tooling landscape is quite vast when it comes to all these security test mechanisms. Before we dive into the hands-on exercise, let’s have a quick overview of some tools that you can consider adopting, depending on the use case at hand.