SAST & DAST with Azure DevOps

Copper Contributor

Hello,

My organisation is looking to implement a SAST & DAST to enhance code quality & security. We are using Azure DevOps for CI/CD. What is the best to go on about finding out what's offered and potential solutions in Azure DevOps. It this something that's offered by Defender for DevOps that's announced at Ignite https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-devops-introduction.

 

Appreciate any helps or pointers.

1 Reply
Hello,

There are so many options available for it on the ADO marketplace, tools like Mend (for dependency scanning), Sonarqube/Sonarcloud (SAST), Owasp Zap (DAST),... You can use the ones working better for you (in terms of pricing and support).

During Ignite the following was announced:
- Defender for DevOps : reviews the security related setup of your ADO organizations and GH organizations.
- GitHub Advanced Security (GHAS) for ADO, which offers Secret scanning, Dependabot (for dependency scanning and CodeQL for SAST https://devblogs.microsoft.com/devops/integrate-security-into-your-developer-workflow-with-github-ad...

For an example using OWASP ZAP in ADO: https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-...