Relying on DAST/SAST is like investing in a restaurant where chef needs to be reminded of how to safely handle knife. no surprise that software developers have been dragging computer end-users to current situation when software products are no longer reliable, or they are packed with vulnerabilities.
I have mentioned before that I believe the root cause of all security weaknesses are mainly because of how software is developed. now imagine software developers are relying on SAST and DAST tools to remind them of a code injection which has been literally known since 3 decades ago.
depending on a software development team who has to be reminded of SQL injection via a SAST tool is like depending on a chef who has to be always reminded how to handle knife safely, otherwise s/he is going to cut their finger and customer will have a bloody french fries.
I am not against usage of static or dynamic application security testing conceptually. there are many techniques to do that, but thinking that a developer should have be reminded of OWASP top 10 and that is going to be accomplished through what community calls SAST or DAST? that means to me there is no way I can trust the output of such naive development process.
relying on a software developer who depends on SAST/DAST tools to point then to an XSS issue is similar to relying on a cook who depends on tools to tell them they have to prepare dough before put in in oven!
Author
do we really have to remind a software developer in 21st century to take care of broken authentication, and do we have to buy them a tool so they don’t need to use their brain, or we better find qualified software developers for our kitchen? 😀