Does anyone have a recommendation for a SAST / DAST scanning tool that supports a variety of languages (front end and backend), has minimal false positives, supports automation (via API or other), integrates with IDEs and integrates with GitLab?

Security & GRC
3.8k viewscircle icon1 Upvotecircle icon6 Comments
Sort by:
Chief Information Security Officer in Software2 years ago

There are several reputable SAST/DAST tools in the market that cater to a wide variety of languages and offer integration with IDEs and GitLab. It's crucial to understand that no scanning tool will have zero false positives, but some have invested heavily in reducing them. When considering a solution, it's essential to evaluate it based on your specific requirements and conduct a proof of concept. Tools like Snyk, Checkmarx, Fortify, and Veracode are well-regarded in the industry, but the best fit would depend on your organization's specific context and needs. I'd recommend engaging with multiple vendors, assessing their tool's capabilities, and gathering feedback from peers in the industry to make an informed decision.

Lightbulb on1
Director & Founder2 years ago

For SAST tools you can consider Sonarqube and Snyk.
For DAST Beagle Security, Intruder, and Detectify seems to do a good job.

CTO in Software5 years ago

For SAST and IAST, I'd talk to Checkmarx. Then if you want to layer on DAST, talk to Synopsys

CTO in Software5 years ago

DAST - Rapid7 AppSpider
DAST - SonarQube

Chief Security Officer in Software5 years ago

We are in the process of testing GitLab Ultimate. It has security features like SAST/DAST and fuzzing. I have also used Veracode in the past.

Lightbulb on1 circle icon1 Reply
no title2 years ago

Gitlab doesn&#39;t have its own SAST and DAST features but it integrates with other open source tools for SAST and DAST. I tried Gitlab once, I prefer Github security a lot.<br>Recently also gave a talk on devsecops and here are some commercial open source tools I recommended for devsecops roadmap in the talk. <br><br> <br><br>Security check<br><br> <br><br>Tools<br><br>1. Secure Access to Infrastructure <br><br> <br><br>Teleport<br><br>2. SAST<br><br> <br><br>Semgrep<br><br>3. Secret Scanning<br><br> <br><br>Trufflehog<br><br>4. IaC scanning<br><br> <br><br>TerraScan<br><br>5. Dependencies<br><br> <br><br>Dependabot<br><br>6. DAST/ IAST/ API Security Testing<br><br> <br><br>Akto.io<br><br>

Content you might like

Do you think your security org has a “heroism” culture? (in other words are team members expected to exhaust themselves to achieve results?)

Yes28%

Only among certain teams43%

No13%

Don’t know / can’t say14%

View Results

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Read More Comments

For those who have trialed an AI pentest solution: what was the single biggest gap you encountered?

Read More Comments

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

Read More Comments

What’s your top barrier to adopting AI-driven pentesting?

Lack of mature vendor solutions44%

Trust in AI accuracy61%

Budget constraints28%

Skills to operate the tools44%

View Results