A development team is implementing a 'shift-left' security strategy to identify vulnerabilities early in the software development lifecycle (SDLC). The team wants to analyze the application's source code for security flaws, such as potential SQL injection and buffer overflows, without executing the program. Which of the following techniques should the team use?
Static Application Security Testing (SAST) is the correct technique because it analyzes an application's source code or binaries for security vulnerabilities without running the program. This allows developers to find and fix issues like SQL injection and buffer overflows early in the SDLC, which is the core principle of 'shift-left' security. Dynamic Application Security Testing (DAST) analyzes applications in their running state, while fuzzing involves providing invalid or unexpected data to a running application to see if it crashes. A web application firewall (WAF) is a network security control that protects web applications from attacks at the network edge; it does not analyze source code.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some common security vulnerabilities that static analysis tools can detect?
Open an interactive chat with Bash
How do static analysis tools differ from dynamic analysis tools?
Open an interactive chat with Bash
Can static analysis tools replace manual code reviews?