Dev Environment Security
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- The development ecosystem as an attack surface
- Language, runtime, and third-party libraries as inherited risk
- Application Security Testing: SAST vs. DAST vs. IAST vs. SCA
- Securing the SCM repository and the CI/CD pipeline
- Exam-pattern recognition
Application Security Testing methods: what each one sees and misses
| Method | Runs the app? | Needs source access? | Finds best | Blind to | Earliest in SDLC |
|---|---|---|---|---|---|
| SAST (static) | No: analyzes source/bytecode/binary | Yes | Source-level coding flaws (injection, insecure APIs); pinpoints the exact line | Runtime, configuration, and environment flaws; tends to false positives | Coding (very early) |
| DAST (dynamic) | Yes: attacks from outside | No (black-box) | Runtime/deployment flaws; confirms a finding is actually exploitable | Cannot point to the offending line; only tests reachable surfaces | Testing (running app required) |
| IAST (interactive) | Yes: instruments from inside | Yes (agent in the runtime) | Correlates code location with runtime confirmation: fewer false positives | Needs coverage from exercising the app; agent adds runtime overhead | Testing (with instrumentation) |
| SCA | No: inspects the dependency manifest | No (reads components/manifests) | Known-vulnerable third-party components (CVEs) and license risk; feeds the SBOM | Flaws in the team's own first-party code | Coding and continuously after |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
References
- NIST SP 800-218: Secure Software Development Framework (SSDF) v1.1 Whitepaper
- CISA: The Case for Memory Safe Roadmaps
- NIST Cyber Supply Chain Risk Management (C-SCRM)
- NTIA: The Minimum Elements For a Software Bill of Materials (SBOM) Whitepaper
- NIST SP 800-204C: Implementation of DevSecOps for a Microservices-based Application Whitepaper
- NIST Glossary: SAST (static application security testing)
- NIST Glossary: DAST (dynamic application security testing)