SSDLC: A proactive approach to secure software development

1 Module 4 Sections None

The secure software development landscape is forever changing, and with those changes comes a confusing bunch o f  terms and terminology.  

To clarify some relevant terms  -  Static   analysis   is a  collective name for test   regime s  that involves the automated “inspection” of source code.  Similarly,  dynamic  analysis   involves the execution of some or all of that source code.  

Focus those techniques on  security issues, and the result is  Static  Analysis (or Application)  Security Testing  (SAST )   and Dynamic Analysis  (or Application)  S ecurity Testing  respectively.

There are wide variations within these groupings, however. For example, Penetration, Functional, and  Fuzz  Tests are all “black box” DAST tests needing no access to source code  in order to fulfil their function.  

Black box DAST is  complementary  to   white box  DAST tests  including  the  unit, integration , and system tests   used to reveal vulnerabilities in application source code through dynamic analysis  during the SSDLC . The y  are  used in conjunction with SAST to ensure designed-in security for application software .