My company’s “Application Security Testing Standard” requires assessing application code with Static Code Analysis or Dynamic Analysis. The tools currently used for this are from Veracode
- Static Application Security Testing (SAST), or “white-box” testing, finds common vulnerabilities by performing a deep analysis of your applications without actually executing them.
- Dynamic Application Security Testing (DAST), or “black-box” testing, identifies architectural weaknesses and vulnerabilities in your running web applications before cyber-criminals can find and exploit them.
Scanning AngularJS based HTML is another matter. I am hopeful that the recently released Angular Hint will grow to include modules that include security analysis above the built-in security features of AngularJS.
Is this a topic worth pursuing or with either Veracode or our IDEs (WebStorm, Visual Studio) start providing this tooling?