(Threat Modeling vs SDL vs Code Reviews vs SAST vs DAST vs SCA)
π§ 1οΈβ£ Threat Modeling
Think before you build
π What it is
Threat Modeling is a design-time activity where you identify what can go wrong, how attackers might exploit it, and what to protect.
π Focus
- Attack surfaces
- Entry points
- Trust boundaries
- Abuse cases
π When
π’ Before coding starts
π’ During architecture & design
π Common methods
- STRIDE
- Attack trees
- Data Flow Diagrams (DFD)
π― Output
- Identified threats
- Mitigation strategies
- Security requirements
β Prevents bad designs
β Does NOT scan code
π 2οΈβ£ Security Development Lifecycle (SDL)
Security baked into every phase
π What it is
SDL is a process framework that integrates security into every phase of software development.
π Focus
- People
- Process
- Technology
π When
π’ End-to-end lifecycle
𧩠Typical phases
- Requirements
- Design
- Implementation
- Verification
- Release
- Maintenance
π― Output
- Secure-by-design software
- Repeatable security practices
β Holistic security
β Not a tool
π 3οΈβ£ Code Reviews
Humans review logic, not just syntax
π What it is
Manual or peer review of source code to catch logic flaws, security mistakes, and bad practices.
π Focus
- Authentication logic
- Authorization checks
- Error handling
- Secrets handling
π When
π’ During pull requests
π’ Before merge
π― Output
- Cleaner code
- Early bug detection
- Knowledge sharing
β Finds logic issues
β Slow and human-dependent
π€ 4οΈβ£ Static Application Security Testing (SAST)
Scan code without running it
π What it is
Automated analysis of source code or binaries to find vulnerabilities.
π Focus
- SQL Injection
- XSS
- Hardcoded secrets
- Insecure APIs
π When
π’ During build
π’ CI pipeline
π― Output
- Vulnerability reports
- Line-level findings
β Early detection
β False positives
π 5οΈβ£ Dynamic Application Security Testing (DAST)
Hack the running app
π What it is
Automated testing of a running application from the outside.
π Focus
- Runtime behavior
- Misconfigurations
- Auth/session issues
π When
π’ After deployment
π’ Test / staging / prod
π― Output
- Exploit-based findings
- Real attack scenarios
β Real-world attacks
β No code visibility
π¦ 6οΈβ£ Software Composition Analysis (SCA)
Your code is not the only risk
π What it is
Scans third-party libraries & dependencies for known vulnerabilities.
π Focus
- Open-source components
- License compliance
- CVEs
π When
π’ During build
π’ Continuously
π― Output
- Vulnerable dependency list
- Upgrade recommendations
β Protects supply chain
β Doesnβt scan your code logic
𧩠How They Fit Together (Big Picture)
| Practice | Design | Code | Build | Runtime | Dependencies |
|---|---|---|---|---|---|
| Threat Modeling | β | β | β | β | β |
| SDL | β | β | β | β | β |
| Code Review | β | β | β | β | β |
| SAST | β | β | β | β | β |
| DAST | β | β | β | β | β |
| SCA | β | β | β | β | β |
π Final Takeaway
π No single practice is enough
β Threat Modeling prevents bad designs
β SDL ensures security is continuous
β Code Reviews catch logic flaws
β SAST finds code-level bugs early
β DAST finds runtime vulnerabilities
β SCA secures your supply chain
π₯ Real DevSecOps uses ALL of them together
Top comments (0)