Verification tools identify weaknesses in an application by analyzing it from its source code or during runtime. They are effective at finding certain types of vulnerabilities, but not well-suited for others as there are a class of application weaknesses that cannot be adequately tested by a verification. However, they form part of an effective security testing strategy when combined with a focused manual testing practice. SD Elements can help teams achieve this effective strategy by identifying which security requirements are not covered by a verification tool, and which ones require further manual testing.
SD Elements integrates with two types of verification tools:
Static analysis: Tools that scan application code for vulnerabilities, such as Veracode (static analysis) and HP Fortify.
Dynamic analysis: Tools that scan application runtime for vulnerabilities, such as Veracode (dynamic testing) and HP WebInspect.