SAST Requirements
For our SAST initiatives, we utilize SonarCloud, a leading tool that systematically reviews source code to identify potential security vulnerabilities, as well as to assess code quality and technical debt. This tool is an essential component of our CI pipeline, delivering automated and immediate feedback on the integrity of code changes. SonarCloud's robust detection capabilities for a variety of security weaknesses and code quality issues are crucial for maintaining high standards throughout our software development process.
Rules
As it comes to the rules which were used, we adhere to the rigorous set of quality profiles and rules provided by SonarCloud. These rules encompass a wide spectrum of coding and security best practices, ensuring a robust defense against common and emerging vulnerabilities. The complete set of rules used for our scans can be accessed and reviewed for transparency and insight into our SAST practices.
For more information on the specific rules applied during our analysis, refer to the SonarCloud rules for the openIMIS organization: SonarCloud openIMIS Rules.
DAST Requirements
For our DAST initiatives, we have chosen OWASP ZAP (Zed Attack Proxy) as our primary tool. OWASP ZAP stands out in the realm of open-source security tools for its effectiveness in discovering vulnerabilities in web applications while they are active. This tool is adept at revealing a wide range of security weaknesses, which makes it a perfect fit for our security testing requirements.
Rules
As it comes to the rules which were used in scans, we're utilizing the default policy created by experts at OWASP. This policy is a comprehensive set of rules and configurations that have been conscientiously developed to cover a vast array of current security vulnerabilities.
...