The intensity of the used tools are not modified to save time.
Risk:Time pressure and ignorance might lead to false predictions for the test intensity.
On each push and/or at given intervals automatic security tests are performed.
Risk:After pushing source code to the version control system, any delay in receiving feedback on defects makes them harder for the developer to remediate.
Unneeded tests are deactivated. For example in case the service is using a Mongo database and no mysql database, the dynamic scan doesn't need to test for sql injections.
Risk:As tools cover a wide range of different vulnerability tests, they might not match the used components. Therefore, they need more time and resources as they need and the feedback loops takes too much time.
A deep scan with high test intensity and a low confidence threshold is performed.
Risk:A too small intensity or a too high confidence might lead to not visible vulnerabilities.
A testing concept considering the amount of time per scan/intensity is created and applied. A dynamic analysis needs more time than a static analysis. The dynamic scan, depending on the test intensity might be performed on every commit, every night, every week or once in a month.
Risk:Scans might use a too small or too high test intensity.