The list of products is definitely more expansive than I realized. This space is ripe for a disruption too. So much potential remains in static code analysis.
It wouldn't surprise me if Microsoft and Github end up integrating a SAST tool into Github and Azure DevOps. I believe Github has a rudimentary scanning tool but something more extensive would give Microsoft and its platforms an advantage.
It's missing KLEE: https://klee.github.io/. KLEE is a symbolic execution engine, which is effectively just a fancy (and useful) approach to static analysis. KLEE is perennially a few releases behind LLVM, but still going strong, apparently.
It's a good list but as was mentioned in another post today about SAST tools, it's very important to know that the tool supports your language and framework version as many of these tools lag far behind the latest releases of popular languages.
> DevSecOps is an augmentation of DevOps to allow for security practices to be integrated into the DevOps approach. The traditional centralised security team model must adopt a federated model allowing each delivery team the ability to factor in the correct security controls into their DevOps practices.
10 comments
[ 4.8 ms ] story [ 30.0 ms ] threadhttps://github.blog/changelog/2020-05-06-github-advanced-sec...
Have spent some time with the beta, definitely worth a look.
https://github.com/analysis-tools-dev/static-analysis https://github.com/analysis-tools-dev/dynamic-analysis https://github.com/collab-qa/check-all-the-things/tree/maste... https://github.com/collab-qa/check-all-the-things/blob/maste...
OWAP > Source Code Analysis Tools: https://owasp.org/www-community/Source_Code_Analysis_Tools
https://analysis-tools.dev/ (supports upvotes and downvotes)
analysis-tools-dev/static-analysis: https://github.com/analysis-tools-dev/static-analysis
analysis-tools-dev/dynamic-analysis: https://github.com/analysis-tools-dev/dynamic-analysis
devsecops/awesome-devsecops: https://github.com/devsecops/awesome-devsecops , https://github.com/TaptuIT/awesome-devsecops
kai5263499/awesome-container-security: https://github.com/kai5263499/awesome-container-security
https://en.wikipedia.org/wiki/DevOps#DevSecOps,_Shifting_Sec... :
> DevSecOps is an augmentation of DevOps to allow for security practices to be integrated into the DevOps approach. The traditional centralised security team model must adopt a federated model allowing each delivery team the ability to factor in the correct security controls into their DevOps practices.
awesome-safety-critical: https://awesome-safety-critical.readthedocs.io/en/latest/
A quick copypasta, sort, and count shows only 6 tools from that initial NIST site are annotated as having been updated in 2020.