Question: Are static (SAST), dynamic (DAST), and dependency (SCA) scans integrated into the development lifecycle?
-
Objective — Why This Matters
Security testing embedded in CI/CD reduces cost of fixes and ensures continuous coverage against emerging vulnerabilities. -
Maturity Levels (0–5)
No automated security testing.
Manual scans run before release.
SAST/DAST/SCA tools selected; usage documented.
Tools integrated into CI/CD; findings tracked.
Build gates block critical issues; metrics reported.
Risk-based testing strategy with continuous feedback.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Run manual ZAP/SonarQube scans before release. |
| 1 → 2 | Document tool selection and scan frequency. |
| 2 → 3 | Integrate SAST/DAST/SCA into CI/CD pipelines. |
| 3 → 4 | Define build gates to block critical findings. |
| 4 → 5 | Analyze trends and prioritize based on risk scores. |
-
People / Process / Technology Enablers
People – Developers, QA, AppSec.
Process – Secure SDLC policy and testing schedule.
Technology – SonarQube, OWASP ZAP, Grype, DefectDojo. -
Evidence Required
Pipeline configuration, scan reports, defect tracking logs. -
Metrics / KPIs
• percentage of builds with security scans executed
• number of critical issues per application per month
• average fix time for high severity findings -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| SAST | SonarQube / CodeQL | Detect code issues. |
| DAST | OWASP ZAP | Dynamic vulnerability testing. |
| SCA | Grype / Dependency-Check | Identify CVE components. |
-
Common Pitfalls
Running scans without tracking results; ignoring failed build reports. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.25 / A.8.28. |
| NIST CSF 2.0 | DE.CM-8 / PR.IP-1. |
| CERT-In 2022 | Application testing expectations. |
| NIRMATA Scoring | AS-Q08 ≥ Level 4 requires automated blocking on CI. |