AppSec tools: let’s talk about definitions

October 3, 2025·284 views

🛠 AppSec tools: let’s talk about definitions

Remark right away:

Wow, I always come across misunderstandings about how tools work or their purpose, or a lack of interest to even google them.

The feeling is still the same that AppSec and the DevSecOps process have been interested in for a long time, but the main thing is not to get involved and rather get lost and get lost (what if it gets eaten there?), and in general, this is the case everywhere in the related PMI, or the value of the product.

Think about it, when was the last time someone correctly gave you a non-trivial task to test or develop your skills? And it’s also suitable for you, it’s not even about the fact that only you are able to solve this, but that there is simply “stupidly” no one.

Oksey, they threw in a little, at least it will be beautiful 😄

For this reason, I decided to select a general selection of definitions for toolchain. This is so that we can conceptually understand each other, so:

- DAST (Dynamic Application Security Testing) – dynamic application security testing, that is, it is an imitation of real attacks on the application while it is running

- SAST (Static Application Security Testing) – static analysis of code without running it for errors and vulnerabilities in the source code

- SCA (Software Composition Analysis) – analysis of the composition of software components (dependencies)

- OSA (Open Source Analysis) – analysis of open source components when they enter the development perimeter, that is, the process of checking the security of open-source components, which includes a set of SCA, SCS and licensing risk analysis tools.

- SCS (Secure Code Standards) - a set of rules and practices used by software developers to prevent security violations, uncontrolled data leaks and other types of threats

- License Policy - violation of the license agreement, something like copyright compliance (this is something like DMCA with a cross between the Trade Secret part)

- SBOM (Software Bill of Materials) - an inventory list of all components (packages, libraries) used in the application being developed or necessary for its operation

- NVS (Network Vulnerability Scanner) - a network vulnerability scanner with a focus on L3/L4 with limited DAST capabilities (not trivial)

- BCA (Bytecode and Container Analysis) – analysis of binary code and container composition

- CIS (Container Image Scanner) – scanning container images for vulnerabilities (Container Security)

- CSPM (Cloud Security Posture Management) – control of Kubernetes and cloud configurations

- SM (Secret Management) – management of secrets

Total: now you can tell on your fingers what the guys from information security tell you when they come and talk about some kind of bugs and vulnerabilities.

#toolchain #appsec #devsecops #specialty

#toolchain#appsec#devsecops#specialty

Open in Telegram