{"id":48371,"date":"2022-07-26T11:25:46","date_gmt":"2022-07-26T15:25:46","guid":{"rendered":"https:\/\/sdtimes.com\/?p=48371"},"modified":"2023-07-14T14:18:28","modified_gmt":"2023-07-14T18:18:28","slug":"combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools","status":"publish","type":"post","link":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/","title":{"rendered":"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">When creating, testing, and deploying software, many development companies now use <\/span><a href=\"https:\/\/www.kiuwan.com\/code-security-sast\/\"><span style=\"font-weight: 400;\">proprietary software<\/span><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/www.kiuwan.com\/insights-open-source\/\"><span style=\"font-weight: 400;\">open source software (OSS)<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Proprietary software, also known as closed-source or non-free software, includes applications for which the publisher or another person reserves licensing rights to modify, use, or share modifications. Examples include Adobe Flash Player, Adobe Photoshop, macOS, Microsoft Windows, and iTunes.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In contrast, OSS grants users the ability to use, change, study, and distribute the software and its source code to anyone on the internet. Accordingly, anyone can participate in the development of the software. Examples include MongoDB, LibreOffice, Apache HTTP Server, and the GNU\/Linux operating system.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This means that many organizations are using third-party code and modules for their OSS. While these additions are incredibly useful for many applications, they can also expose organizations to risks. According to <\/span><a href=\"https:\/\/info.revenera.com\/SCA-RPT-OSS-License-Compliance-2022\/?lead_source=PR\"><span style=\"font-weight: 400;\">Revenera&#8217;s 2022 State of the Software Supply Chain Report<\/span><\/a><span style=\"font-weight: 400;\">, 64% of organizations were impacted by software supply chain attacks caused by vulnerabilities in OSS dependencies.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Although OSS can expose organizations to risks, avoiding OSS software and dependencies is not practical. OSS software and dependencies now play an integral role in development. This is particularly the case for JavaScript, Ruby, and PHP application frameworks, which tend to use multiple OSS components.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Since software companies cannot realistically avoid using OSS, cybersecurity teams must avoid vulnerabilities associated with OSS by employing software composition analysis (SCA) tools. Additionally, they need to combine SCA with static application security testing (SAST), since proprietary software such as Microsoft Windows and Adobe Acrobat is also used.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Read to learn more about SAST and SCA. This article will also explain how cybersecurity teams can combine SAST and SCA into a comprehensive cybersecurity strategy.<\/span><\/p>\n<h5><b>What Is SAST?<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">SAST is a code scanning program that reviews proprietary code and application sources for cybersecurity weaknesses and bugs. Also known as white box testing, SAST is considered a static approach because it analyzes code without running the app itself. Since it only reads code line by line and doesn&#8217;t execute the program, SAST platforms are extremely effective at removing security vulnerabilities at every page of the software product development lifecycle (SDLC), particularly during the first few stages of development.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Specifically, SAST programs can help teams:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Find common vulnerabilities, such as buffer overflow, cross-site scripting, and SQL injection<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Verify that development teams have conformed to development standards<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Root out intentional breaches and acts, such as supply chain attacks<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Spot weaknesses before the code goes into production and creates vulnerabilities<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Scan all possible states and paths for proprietary software bugs of which development teams were not aware<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Implement a proactive security approach by reducing issues early in the SDLC<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">SAST plays an integral role in software development. By giving development teams real-time feedback as they code, SAST can help teams address issues and eliminate problems before they go to the next phase of the SDLC. This prevents bugs and vulnerabilities from accumulating.\u00a0<\/span><\/p>\n<h5><b>What Is SCA?<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">SCA is a code analysis tool that inspects source code, package managers, container images, binary files, and lists them in an inventory of known vulnerabilities called a Bill of Materials (BOM). The software then compares the BOM with databases that hold information about common and known vulnerabilities, such as the U.S. National Vulnerability Database (NVD). The comparison enables cybersecurity teams to spot critical legal and security vulnerabilities and fix them.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Some SCA tools can also compare their inventory of known vulnerabilities to discover licenses connected with the open-source code. Cutting edge SCAs may also be able to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Analyze overall code quality (i.e., history of contributions and version control)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automate the entire process of working with OSS modules, including selection and blocking them from the IT environment as needed<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Provide ongoing alerts and monitoring for vulnerabilities reported after an organization deploys an application<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Detect and map known OSS vulnerabilities that can&#8217;t be found through other tools<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Map legal compliance risks associated with OSS dependencies by identifying the licenses in open-source packages<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Monitor new vulnerabilities\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Every software development organization should consider getting SCA for legal and security compliance. Secure, reliable, and efficient, SCA allows teams to track open-source code with just a few clicks of the mouse. Without SCA, teams need to manually track open-source code, a near-impossible feat due to the staggering number of OSS dependencies.\u00a0<\/span><\/p>\n<h5><b>How To Use SAST and SCA To Mitigate Vulnerabilities<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">Using SAST and SCA to mitigate vulnerabilities is not as easy as it seems. This is because using SAST and SCA involves much more than just pressing buttons on a screen. Successfully implementing SAST and SCA requires IT and cybersecurity teams to establish and follow a security program across the organization, an endeavor that can be challenging.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Luckily, there are a few ways to do this:<\/span><\/p>\n<h5><b>1. Use The DevSecOps Model<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">Short for development, security, and operations, DevSecOps is an approach to platform design, culture, and automation that makes security a shared responsibility at every phase of the software development cycle. It contrasts with traditional cybersecurity approaches that employ a separate security team and quality assurance (QA) team to add security to software at the end of the development cycle.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Cybersecurity teams can follow the DevSecOps model when using SAST and SCA to mitigate vulnerabilities by implementing both tools and approaches at every phase of the software development cycle. To start, they should introduce SAST and SCA tools to the DevSecOps pipeline as early in the creation cycle as possible. Specifically, they should introduce the tools during the coding stage, during which time the code for the program is written. This will ensure that:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Security is not just an afterthought<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The team has an unbiased way to root out bugs and vulnerabilities before they reach critical mass<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Although it can be difficult to convince teams to adopt two security tools at once, it is possible to do with a lot of planning and discussion. However, if teams prefer to only use one tool for their DevSecOps model, they could consider the alternatives below.<\/span><\/p>\n<h5><b>2. Integrate SAST and SCA Into the CI\/CD Pipeline<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">Another way to use SAST and SCA together is to integrate them into CI\/CD pipeline.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Short for continuous integration, CI refers to a software development approach where developers combine code changes in a centralized hub multiple times per day. CD, which stands for continuous delivery, then automates the software release process.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Essentially, a CI\/CD pipeline is one that creates code, runs tests (CI), and securely deploys a new version of the application (CD). It is a series of steps that developers need to perform to create a new version of an application. Without a CI\/CD pipeline, computer engineers would have to do everything manually, resulting in less productivity.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The CI\/CD pipeline consists of the following stages:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Source. <\/b><span style=\"font-weight: 400;\">Developers start running the pipeline, by changing the code in the source code repository, using other pipelines, and automatically-scheduled workflows.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Build. <\/b><span style=\"font-weight: 400;\">The development team builds a runnable instance of the application for end-users. \u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Test. <\/b><span style=\"font-weight: 400;\">Cybersecurity and development teams run automated tests to validate the code&#8217;s accuracy and catch bugs. This is where organizations should integrate SAST and SCA scanning.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Deploy. <\/b><span style=\"font-weight: 400;\">Once the code has been checked for accuracy, the team is ready to deploy it. They can deploy the app in multiple environments, including a staging environment for the product team and a production environment for end-users.<\/span><\/li>\n<\/ol>\n<h5><b>3. Create a Consolidated Workflow with SAST and SCA.<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">Finally, teams can use SAST and SCA together by creating a consolidated workflow.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">They can do this by purchasing cutting-edge cybersecurity tools that allow teams to conduct SAST and SCA scanning at the same time and with the same tool. This will help developers and the IT and cybersecurity teams save a lot of time and energy.<\/span><\/p>\n<h5><b>Experience the Kiuwan Difference<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">With so many SAST and SCA tools on the market, it can be challenging for organizations to pick the right tools for their IT environments. This is particularly true if they have limited experience with SAST and SCA tools.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is where Kiuwan comes in. A global organization that designs tools to help teams spot vulnerabilities, Kiuwan offers Code Security (SAST) as well as Insights Open Source (SCA).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Kiuwan Code Security (SAST) can empower teams to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Scan IT environments and share results in the cloud<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Spot and remediate vulnerabilities in a collaborative environment<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Produce tailored reports using industry-standard security ratings so teams can understand risks better<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create automatic action plans to manage tech debt and weaknesses<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Give teams the ability to choose from a set of coding rules to customize the importance of various vulnerabilities for their IT environment<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Kiuwan Insights Open Source (SCA) can help companies:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Manage and scan open source components\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automate code management so teams can feel confident about using OSS<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Integrate seamlessly into their current SDLC and toolkit<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Interested in learning more about how Kiuwan&#8217;s products? Get <\/span><a href=\"https:\/\/www.kiuwan.com\/free-demo\/\"><span style=\"font-weight: 400;\">demos of Kiuwan&#8217;s security solutions<\/span><\/a><span style=\"font-weight: 400;\"> today. Developers will see how easy it is to initiate a scan, navigate our seamless user interface, create a remediation action plan, and manage internal and third-party code risks.<\/span><\/p>\n<p><em>Content provided by Kiuwan.\u00a0<\/em><\/p>\n<!-- AddThis Advanced Settings generic via filter on the_content --><!-- AddThis Share Buttons generic via filter on the_content -->","protected":false},"excerpt":{"rendered":"<p>When creating, testing, and deploying software, many development companies now use proprietary software and open source software (OSS).\u00a0 \u00a0 Proprietary software, also known as closed-source or non-free software, includes applications for which the publisher or another person reserves licensing rights to modify, use, or share modifications. Examples include Adobe Flash Player, Adobe Photoshop, macOS, Microsoft  &hellip; <a class=\"read-more\" href=\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\">continue reading<\/a><!-- AddThis Advanced Settings generic via filter on get_the_excerpt --><!-- AddThis Share Buttons generic via filter on get_the_excerpt --><\/p>\n","protected":false},"author":1093,"featured_media":48372,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"cybocfi_hide_featured_image":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[4339,1,11110],"tags":[14688,16181,102,11205,13552,45],"coauthors":[16180],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools - SD Times<\/title>\n<meta name=\"description\" content=\"When creating, testing, and deploying software, many development companies now use proprietary software and open source software (OSS).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools - SD Times\" \/>\n<meta property=\"og:description\" content=\"When creating, testing, and deploying software, many development companies now use proprietary software and open source software (OSS).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\" \/>\n<meta property=\"og:site_name\" content=\"SD Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/SDTimesD2\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-26T15:25:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-14T18:18:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1428\" \/>\n\t<meta property=\"og:image:height\" content=\"950\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Michelle Pruitt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:site\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Michelle Pruitt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\"},\"author\":{\"name\":\"Michelle Pruitt\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/bfd6ca8b9668110cec51820a42ae12e5\"},\"headline\":\"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools\",\"datePublished\":\"2022-07-26T15:25:46+00:00\",\"dateModified\":\"2023-07-14T18:18:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\"},\"wordCount\":1519,\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg\",\"keywords\":[\"CI-CD\",\"kiuwan\",\"open source\",\"SAST\",\"SCA\",\"security\"],\"articleSection\":[\"Industry Spotlight\",\"Latest News\",\"Sponsored\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\",\"url\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\",\"name\":\"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools - SD Times\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg\",\"datePublished\":\"2022-07-26T15:25:46+00:00\",\"dateModified\":\"2023-07-14T18:18:28+00:00\",\"description\":\"When creating, testing, and deploying software, many development companies now use proprietary software and open source software (OSS).\",\"breadcrumb\":{\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg\",\"width\":1428,\"height\":950},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sdtimes.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sdtimes.com\/#website\",\"url\":\"https:\/\/sdtimes.com\/\",\"name\":\"SD Times\",\"description\":\"Software Development News\",\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sdtimes.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/sdtimes.com\/#organization\",\"name\":\"SD Times\",\"url\":\"https:\/\/sdtimes.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"width\":225,\"height\":90,\"caption\":\"SD Times\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/SDTimesD2\",\"https:\/\/x.com\/sdtimes\",\"https:\/\/www.linkedin.com\/company\/sdtimes\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/bfd6ca8b9668110cec51820a42ae12e5\",\"name\":\"Michelle Pruitt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/image\/1090aed3c01aae7e56f5c56718afb988\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/130a8c2ef0b6a09e6dede03ecad4aa4b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/130a8c2ef0b6a09e6dede03ecad4aa4b?s=96&d=mm&r=g\",\"caption\":\"Michelle Pruitt\"},\"description\":\"Michelle Pruitt is a developer evangelist at Kiuwan.\",\"url\":\"https:\/\/sdtimes.com\/author\/michelle-pruitt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools - SD Times","description":"When creating, testing, and deploying software, many development companies now use proprietary software and open source software (OSS).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/","og_locale":"en_US","og_type":"article","og_title":"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools - SD Times","og_description":"When creating, testing, and deploying software, many development companies now use proprietary software and open source software (OSS).","og_url":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/","og_site_name":"SD Times","article_publisher":"https:\/\/www.facebook.com\/SDTimesD2","article_published_time":"2022-07-26T15:25:46+00:00","article_modified_time":"2023-07-14T18:18:28+00:00","og_image":[{"width":1428,"height":950,"url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg","type":"image\/jpeg"}],"author":"Michelle Pruitt","twitter_card":"summary_large_image","twitter_creator":"@sdtimes","twitter_site":"@sdtimes","twitter_misc":{"Written by":"Michelle Pruitt","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#article","isPartOf":{"@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/"},"author":{"name":"Michelle Pruitt","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/bfd6ca8b9668110cec51820a42ae12e5"},"headline":"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools","datePublished":"2022-07-26T15:25:46+00:00","dateModified":"2023-07-14T18:18:28+00:00","mainEntityOfPage":{"@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/"},"wordCount":1519,"publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"image":{"@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg","keywords":["CI-CD","kiuwan","open source","SAST","SCA","security"],"articleSection":["Industry Spotlight","Latest News","Sponsored"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/","url":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/","name":"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools - SD Times","isPartOf":{"@id":"https:\/\/sdtimes.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage"},"image":{"@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg","datePublished":"2022-07-26T15:25:46+00:00","dateModified":"2023-07-14T18:18:28+00:00","description":"When creating, testing, and deploying software, many development companies now use proprietary software and open source software (OSS).","breadcrumb":{"@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#primaryimage","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2022\/07\/Screen-Shot-2022-07-26-at-11.22.29-AM.jpg","width":1428,"height":950},{"@type":"BreadcrumbList","@id":"https:\/\/sdtimes.com\/ci-cd\/combining-static-application-security-testing-sast-and-software-composition-analysis-sca-tools\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sdtimes.com\/"},{"@type":"ListItem","position":2,"name":"Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools"}]},{"@type":"WebSite","@id":"https:\/\/sdtimes.com\/#website","url":"https:\/\/sdtimes.com\/","name":"SD Times","description":"Software Development News","publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sdtimes.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sdtimes.com\/#organization","name":"SD Times","url":"https:\/\/sdtimes.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","width":225,"height":90,"caption":"SD Times"},"image":{"@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/SDTimesD2","https:\/\/x.com\/sdtimes","https:\/\/www.linkedin.com\/company\/sdtimes\/"]},{"@type":"Person","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/bfd6ca8b9668110cec51820a42ae12e5","name":"Michelle Pruitt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/image\/1090aed3c01aae7e56f5c56718afb988","url":"https:\/\/secure.gravatar.com\/avatar\/130a8c2ef0b6a09e6dede03ecad4aa4b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/130a8c2ef0b6a09e6dede03ecad4aa4b?s=96&d=mm&r=g","caption":"Michelle Pruitt"},"description":"Michelle Pruitt is a developer evangelist at Kiuwan.","url":"https:\/\/sdtimes.com\/author\/michelle-pruitt\/"}]}},"_links":{"self":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/48371"}],"collection":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/users\/1093"}],"replies":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/comments?post=48371"}],"version-history":[{"count":2,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/48371\/revisions"}],"predecessor-version":[{"id":48378,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/48371\/revisions\/48378"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media\/48372"}],"wp:attachment":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media?parent=48371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/categories?post=48371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/tags?post=48371"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/coauthors?post=48371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}