Does anyone have a recommendation for a SAST / DAST scanning tool that supports a variety of languages (front end and backend), has minimal false positives, supports automation (via API or other), integrates with IDEs and integrates with GitLab?

3.8k views1 Upvote6 Comments

Sort by:

Chief Information Security Officer in Software2 years ago

There are several reputable SAST/DAST tools in the market that cater to a wide variety of languages and offer integration with IDEs and GitLab. It's crucial to understand that no scanning tool will have zero false positives, but some have invested heavily in reducing them. When considering a solution, it's essential to evaluate it based on your specific requirements and conduct a proof of concept. Tools like Snyk, Checkmarx, Fortify, and Veracode are well-regarded in the industry, but the best fit would depend on your organization's specific context and needs. I'd recommend engaging with multiple vendors, assessing their tool's capabilities, and gathering feedback from peers in the industry to make an informed decision.

Director & Founder2 years ago

For SAST tools you can consider Sonarqube and Snyk.
For DAST Beagle Security, Intruder, and Detectify seems to do a good job.

CTO in Software5 years ago

For SAST and IAST, I'd talk to Checkmarx. Then if you want to layer on DAST, talk to Synopsys

CTO in Software5 years ago

DAST - Rapid7 AppSpider
DAST - SonarQube

Chief Security Officer in Software5 years ago

We are in the process of testing GitLab Ultimate. It has security features like SAST/DAST and fuzzing. I have also used Veracode in the past.

1 1 Reply

no title2 years ago

Gitlab doesn't have its own SAST and DAST features but it integrates with other open source tools for SAST and DAST. I tried Gitlab once, I prefer Github security a lot. Recently also gave a talk on devsecops and here are some commercial open source tools I recommended for devsecops roadmap in the talk. Security check Tools 1. Secure Access to Infrastructure Teleport 2. SAST Semgrep 3. Secret Scanning Trufflehog 4. IaC scanning TerraScan 5. Dependencies Dependabot 6. DAST/ IAST/ API Security Testing Akto.io

Content you might like

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

Have you evaluated any “AI native” data security platforms so far (like Concentric AI, Normalyze, etc)? Interested to know your thoughts on these, whether or not you move forward with implementing.

It's been announced that Windows 11 will be serviced on a monthly basis, similar to Windows 10's infamous "Patch Tuesdays". What's the ideal service cadence for this OS?

Updates should be released daily.6%

Updates should be released weekly61%

Updates should stay monthly.22%

Updates should be pushed quarterly.9%

Other (comment below)

View Results

How vulnerable is the real estate industry to cyberattacks?

As vulnerable as tech sector37%

Less vulnerable than tech sector52%

Not vulnerable5%

Don't know3%

View Results

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

Does anyone have a recommendation for a SAST / DAST scanning tool that supports a variety of languages (front end and backend), has minimal false positives, supports automation (via API or other), integrates with IDEs and integrates with GitLab?

Sort by:

Content you might like

Have you evaluated any “AI native” data security platforms so far (like Concentric AI, Normalyze, etc)? Interested to know your thoughts on these, whether or not you move forward with implementing.

It's been announced that Windows 11 will be serviced on a monthly basis, similar to Windows 10's infamous "Patch Tuesdays". What's the ideal service cadence for this OS?

How vulnerable is the real estate industry to cyberattacks?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go