Hi Joe - SonarQube is essentially a static code quality tool and has multiple versions (community is free and then we have developer, enterprise, and data center versions which are paid). As per the latest branding from CAST, they don't market AIP as a separate product and…

@Tej Muchhala ​: Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The…

When you say centralized view, do you mean different testing categories which should be looked at for matured software development? If yes, sharing my views on important ones.  1. Functional Testing (either using open source frameworks like playwright, cypress, and selenium…

We have used the following tools and they work well in giving a detailed licensing posture for open-source libraries - WhiteSource/Mend and CAST HL. Both of them give what licenses are in use and whether they are risky or ok to use For example, GPU license is always risky…

MITRE ATT&CK framework provides different attack patterns. While the main website has lot of information, microsoft wrote this blog to share details on how Azure maps to this framework. This is excellent read MITRE ATT&CK® mappings released for built-in Azure security…

We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need Commercial…

Security posture will include a number of things The following artifacts should be scanned to ensure they are secure, configured correctly and free from malware or sensitive information: OSS modules and frameworks Containers Serverless functions APIs and declarative…

Infrastructure as a Code scripts testing, API security testing and SCA will gain more relevance and importance this year.  Customers may also like to have a modular framework to pick and choose different areas of DevSecOps (SAST, SCA, DAST, IAST, OAST, etc) as per their…

SCA looks at open-source libraries only and associates vulnerabilities, license analysis with the open-source libraries. Helps maintain inventory of SBOM SAST looks at the proprietary application source code and does the same - assesses code health, vulnerabilities, security…

WhiteSource has released a utility to detect log4j vulnerability in the codebase.  Take a look at this if it helps. In our case, a lot of projects use Elastic Search and Azure DevOps Server - both of them have log4j being used and that's where additional fixes have to be…

Hello @Charles Race A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details 1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have…

@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.

Believe no single tool will address all OWASP Top 10 issues. One will need a combination of tools and approaches as was also mentioned in the recent OWASP anniversary webinars A01-2021: Broken Access Control has moved to number 1 on the list this year compared to number 5…

Both SAST and DAST are complementary to each other.  The best approach is to include both SAST and DAST SAST: Inspects underlying source code, requires understanding of source design, Is  utilized early in the development cycle and the average cost to remediate issues is…

Multiple aspects need to be looked at. I'm listing a few critical ones 1. Hidden passwords and secrets within the application. 2. Check IaaC, Docker, K8 scripts - do they have the right configuration? Wrt Kubernetes and "Hardening Guidance" were released by NSA and CISA…

We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and…

OWASP ZAP is open source, free to use and one of the most active open source projects in DAST space. There are weekly updates being done to this project. Lot of add-ons are available which make this an excellent product. The newly created automation framework (AF) is the…

@Evgeny Belenky Yes. We have used it for typescript, java, .NET, SQL. Coverage depends on the rules available for each language. It is possible to import more rules if required. My experience has been great till now. 

We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best.  It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc…

I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind 1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate…

SonarQube is great product for static code analysis. But the setup of the same takes lot of time and is tricky depending on the language in scope. For example, for .NET it needs different dependencies to be installed compared to Java. I would expect that SonarQube at the…