Software Security Initiative Capabilities: Getting Started mentions three common security capabilities:
- Penetration testing
- Code review
- Some sort of secure design review (e.g., threat modeling)
Tools can help some - Dynamic Analysis (DAST) for pen testing and Static Analysis (SAST) for code review - but don’t catch everything.
However, there aren’t tools for secure design reviews, and this requires a subject matter expert (SME). The threat modeling process involves documenting the architecture and diagraming the application to help to identify threats. This same information would be needed by both secure code reviews and penetration testing later in the SDLC.