Exam CAS-004 topic 1 question 282 discussion

The key is, " identify weaknesses earlier in the development process.." SAST (C): Static application security testing finds vulnerabilities in the custom code written by the developers (including serverless function code) before it's even run, which meets the "identify earlier" and "reduce cost" objectives. SCA (D): Software composition analysis finds known vulnerabilities in the third-party dependencies used by the application. This is critical for modern development (especially serverless) and can also be done very early in the cycle.

While IAST identifies vulnerabilities during runtime, it is typically used in testing or staging environments rather than early in the SDLC. It complements but does not replace SAST or SCA.

A. IAST (Interactive Application Security Testing): IAST integrates into the development environment and actively tests applications while they are running. It allows for real-time feedback and can detect vulnerabilities earlier in the development process. By analyzing the code and behavior of an application while it is running, IAST helps identify vulnerabilities during the testing phase before the app is deployed. This is ideal for identifying issues earlier in the development cycle. C. SAST (Static Application Security Testing): SAST analyzes the source code, bytecode, or binary files of an application for vulnerabilities before the application runs. Since it works on the codebase itself, it allows developers to detect vulnerabilities early in the development process, thus preventing vulnerabilities from being deployed. This is especially useful in serverless environments, where vulnerabilities could be introduced by misconfigurations or insecure code in the serverless functions.

AD, they already have implemented DAST, so based in the bounty program they need to check the code (included in A...IAST=DAST+SAST) and also need SCA, this way have covered almost any bug reported.

SAST: Analyzes source code for vulnerabilities before deployment. SCA: Identifies and manages risks associated with third-party components.

IAST (Interactive Application Security Testing): IAST solutions can analyze applications during runtime and provide real-time feedback on potential vulnerabilities. By integrating IAST into the DevSecOps pipeline, the startup can identify security weaknesses earlier in the development process, allowing developers to address issues as they arise. IAST complements DAST by providing deeper insights into application behavior and vulnerabilities while reducing false positives. SCA (Software Composition Analysis): SCA tools help identify and manage open-source components and dependencies within applications. Since many serverless applications heavily rely on third-party libraries and frameworks, SCA can help detect vulnerabilities in these components early in the development lifecycle. By integrating SCA into the DevSecOps pipeline, the startup can proactively identify and remediate vulnerabilities related to third-party dependencies, reducing the risk of exploitation and associated remediation costs.

I’d say C and D based on the following definitions. A – IAST: IAST identifies security vulnerabilities in running applications while providing developers with the relevant lines of code and contextual remediation advice. B – RASP : Runtime Application Self-Protection (RASP) is a tool that can detect attacks on applications as they occur. A RASP implementation can protect applications from malicious data and behavior by analyzing how the program behaves. If the application's behavior indicates something is wrong, RASP can help stop the threat. C – SAST: Static application security testing is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities.

IAST is the same as DAST + SAST so best to use SAST with SCA

A. IAST (Interactive Application Security Testing) - IAST tools typically combine elements of both SAST and DAST and are designed to identify security vulnerabilities in applications as they are running, especially in real-time environments; C. SAST (Static Application Security Testing) - SAST analyzes the source code, bytecode, or binary code of applications for vulnerabilities without executing the code. By doing this analysis at the code level, SAST can identify vulnerabilities early in the SDLC.

To identify weaknesses earlier in the development process for serverless application vulnerabilities and reduce costs associated with remediation, the startup should consider the following options: A. IAST (Interactive Application Security Testing): IAST solutions can provide real-time feedback during the development process by analyzing code and identifying vulnerabilities. Unlike DAST (Dynamic Application Security Testing), which tests the application from the outside, IAST works from within the application, making it well-suited for identifying vulnerabilities in serverless applications. C. SAST (Static Application Security Testing): SAST tools can analyze the source code and identify potential vulnerabilities before the application is even deployed. It can be integrated into the development pipeline, allowing developers to catch and remediate vulnerabilities early in the process. Both IAST and SAST can help identify weaknesses early in the development process, reducing the time to identify vulnerabilities and the associated remediation costs.

Since this is for early in development, I'm going with IAST and SAST.