Enterprise customers got the Static Application Security Testing (SAST) and Secure Source Code Requirements, how to systematic mapping for the functionality requirements into operation requirements, and avoid vendor lockin and upsell features you may not need. This document is prepared based on the above objective and if it meets what you need, please read on.
Deployment: On premise or on cloud
This should be the first consideration, as some of the market offering is run on cloud only, no on premise offering. If your enterprise is not open for cloud consideration, you can narrow down into on premise solution offering.
Vendor core domain of business
Since 1995 first internet e-commerce transaction done, application security testing (AST) is rising, depend on the area of concern, it now segment into dynamic application security testing (DAST), static application security testing (SAST), software composition analysis (SCA), manual application security testing (MAST), mobile application security testing (Mobile AST) and DevSecOps (aka Secure DevOps).
Some of the previous vendors who establish in the respective domain, either exist the business (acquired by another vendor), or the product remains like the previous without making any modernised attempt. Some after a few years it is sold or spin off to another vendor (in another word, exit the business). The key is understanding the dynamic context, as no single developer can commit to the same project for a long period of time. Technology changes along the years except for the product adaptive to the new changing reality, such as modern features and functionality. For instance, are the SAST tools that can support modern and what we want to adopt programming languages, supported framework as well as can handle some of the legacy programming language we are using? In general to speak, the more variety of, in particular modern programming language is in the support, the better it indicates they are in the business for long.
How it licensing
Whether it allows perpetual buy off and then subsequent year for pay only software maintenance or is it available only in the license subscription model? How the charing go? it license by per application or by how many line of programming code or will it allow single install unlimited scanning and allow multiply the scanning instance by adding additional scan instance basis?
In general rule of thumb, the more application is involved, the better you are in the unlimited scan licensing, as you will not be involved in under licensing and in the half of the use period to ask for top up for more licensing fee due to rise in the scanning volume you are not expected.
Continuous integration (CI), continuous delivery (CD) and DevSecOps requirements
Will the user scan need to allow the development team to use API scanning or integration with others tools, if that is the scenario, then it needs API functionality. In general, that is the feature you may need. But if your scenario is more on the development team passing you final project source code to scan, then it is one way requirements, you no need API features.
Below is a list of the typical requirements, you may use to check with your development team to see what is currently needed to support and what is planning to adopt.
ASP.NET, ASP.NET MVC, TELERIK, HIBERNATE.NET, ENTITY FRAMEWORK, JSP, J2EE, SPRING,
SPRING BOOT, STRUTS, JAX-RS, JAX-WS, JAVA FACES, JAX-RPC, JAVA BEANS, EJB, HIBERNATE
WEBSOCKETS, ZEND, KOHANA, CAKE PHP, SYMFONY, LARAVEL, YII, CODEIGNITER, PHALCON
FLASK, DJANGO, RUBY ON RAILS, REACT, ANGULAR, NODE.JS, JQUERY, EXPRESSJS, KNOCKOUT
KOA.JS, GRAILS, GORILLA, REVEL, GIN, ECHO, BEEGO, IBM DB2, BSP, BOTTLE, XAMARIN
Feel free to contact E-SPIN for your project and operation requirements. E-SPIN officers will assist you in the walkthrough of the static application security testing (SAST) and secure source code review requirements in a systematic and professional manner together.