SAST Requirements
Tool
For our SAST initiatives, we utilize SonarCloud, a leading tool that systematically reviews source code to identify potential security vulnerabilities, as well as to assess code quality and technical debt. This tool is an essential component of our CI pipeline, delivering automated and immediate feedback on the integrity of code changes. SonarCloud's robust detection capabilities for a variety of security weaknesses and code quality issues are crucial for maintaining high standards throughout our software development process.
...
For more information on the specific rules applied during our analysis, refer to the SonarCloud rules for the openIMIS organization: SonarCloud openIMIS Rules.
DAST Requirements
Tool
For our DAST initiatives, we have chosen OWASP ZAP (Zed Attack Proxy) as our primary tool. OWASP ZAP stands out in the realm of open-source security tools for its effectiveness in discovering vulnerabilities in web applications while they are active. This tool is adept at revealing a wide range of security weaknesses, which makes it a perfect fit for our security testing requirements.
...