DevSecOps - jibingl/CCNA-CCNP GitHub Wiki

Security Testing

	SAST (Static)	DAST (Dynamic)
Testing Approach	White-box (inside-out)	Black-box (outside-in)
How	Scan source code without executing	Simulate attacks by interacting with running
Visibility	Full access to source code/binaries	No access to source code needed
When it occurs	Early in the SDLC (coding/build)	Later in the SDLC (testing/prod)
Vulnerabilities	Code-level flaws (e.g., hardcoded secrets)	Runtime flaws (e.g., server configs)
Tools	SonarQube, FindSecurityBugs and Snyk Code	OWASP ZAP, Burp Suite, and StackHawk

	Fuzzing
How	Bombard a program with invalid, unexpected, or random data as inputs
Goal	Trigger crashes, memory leaks, or failing code assertions to uncover hidden bugs and security vulnerabilities
Tools	Mutiny