SAMMY UI is optimized for resolutions with a width 1024px and higher.
Maturity Level 1
Maturity Level 2
Maturity Level 3
Perform automated security testing
V-ST-A-1: Do you scan applications with automated security testing tools?
  • You dynamically generate inputs for security tests using automated tools
  • You choose the security testing tools to fit the organization's architecture and technology stack, and balance depth and accuracy of inspection with usability of findings to the organization
Coverage
- None: There is no coverage for this activity or not all quality criteria have been fulfilled.
- Some: You perform this activity across some portion of your applications, to a certain extend, or review it on an ad-hoc basis, while making sure that all quality criteria are fulfilled.
- Half: You perform this activity across half of your applications, to a larger extent or review it at regular times (though not very often), while making sure that all quality criteria are fulfilled.
- Most/All: You perform this activity across most / all of your applications, to a full extent or review it at regular times at most once a year, while making sure that all quality criteria are fulfilled.
Description

Use automated static and dynamic security test tools for software, resulting in more efficient security testing and higher quality results. Progressively increase the frequency of security tests and extend code coverage.

Application security testing can be performed statically, by inspecting an application's source code without running it, or dynamically by simply observing the application's behavior in response to various input conditions. The former approach is often referred to as Static Application Security Testing (SAST), the latter as Dynamic Application Security Testing (DAST). A hybrid approach, known as Interactive Application Security Testing (IAST), combines the strengths of both approaches (at the cost of additional overhead) by dynamically testing automatically instrumented applications, allowing accurate monitoring of the application's internal state in response to external input.

Many security vulnerabilities are very hard to detect without carefully inspecting the source code. While this is ideally performed by expert or peer review, it is a slow and expensive task. Although "noisier" and frequently less accurate than expert-led reviews, automated SAST tools are cheaper, much faster, and more consistent than humans. A number of commercial and free tools are able to efficiently detect sufficiently important bugs and vulnerabilities in large code bases.

Dynamic testing does not require application source code, making it ideal for cases where source code is not available. It also identifies concrete instances of vulnerabilities. Due to its "black-box" approach , without instrumentation, it is more likely to uncover shallow bugs. Dynamic testing tools need a large source of test data whose manual test generation is prohibitive. Many tools exist which generate suitable test data automatically, leading to more efficient security testing and higher quality results.

Select appropriate tools based on several factors, including depth and accuracy of inspection, robustness and accuracy of security test cases, available integrations with other tools, usage and cost model, etc. When selecting tools, use input from security-savvy technical staff as well as developers and development managers and review results with stakeholders.

Endorsed Solutions for Mastering Scalable Baseline
vendor logo Become a Recommended Vendor for Scalable Baseline!

Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Scalable Baseline? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!

Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading...
Loading, please wait.
Community guidance

This guidance is based on the approved community submissions.

Loading...
Loading, please wait.