ํ”ผ๋“œ๋กœ ๋Œ์•„๊ฐ€๊ธฐ
๐Ÿ” SAST vs DAST: Complete Guide to Application Security Testing in DevSecOps
Dev.toDev.to
Security

SAST์™€ DAST ๊ฒฐํ•ฉ์„ ํ†ตํ•œ DevSecOps ํŒŒ์ดํ”„๋ผ์ธ์˜ ๋‹ค์ธต ๋ณด์•ˆ ์ฒด๊ณ„ ๊ตฌ์ถ•

๐Ÿ” SAST vs DAST: Complete Guide to Application Security Testing in DevSecOps

Abhishek Korde2026๋…„ 5์›” 19์ผ3๋ถ„intermediate

Context

์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ๋ณต์žก๋„ ์ฆ๊ฐ€์— ๋”ฐ๋ผ ์ „ํ†ต์ ์ธ ์‚ฌํ›„ ๋ณด์•ˆ ๊ฒ€ํ†  ๋ฐฉ์‹์˜ ํ•œ๊ณ„ ๋ฐœ์ƒ. CI/CD ํŒŒ์ดํ”„๋ผ์ธ ๋‚ด ๋ณด์•ˆ ํ†ตํ•ฉ์„ ํ†ตํ•œ DevSecOps ๊ตฌํ˜„ ํ•„์š”์„ฑ ์ฆ๋Œ€.

Technical Solution

  • White-box ํ…Œ์ŠคํŠธ ๊ธฐ๋ฐ˜์˜ SAST๋ฅผ ํ†ตํ•œ ์†Œ์Šค ์ฝ”๋“œ ๋ฐ ๋ฐ”์ด๋„ˆ๋ฆฌ ๋‹จ๊ณ„์˜ SQL Injection, XSS ๋“ฑ ์ทจ์•ฝ์  ์กฐ๊ธฐ ์‹๋ณ„
  • Black-box ํ…Œ์ŠคํŠธ ๊ธฐ๋ฐ˜์˜ DAST๋ฅผ ํ†ตํ•œ ๋Ÿฐํƒ€์ž„ ํ™˜๊ฒฝ์˜ ์„œ๋ฒ„ ์„ค์ • ์˜ค๋ฅ˜ ๋ฐ ์‹ค์ œ ๊ณต๊ฒฉ ์‹œ๋ฎฌ๋ ˆ์ด์…˜ ์ˆ˜ํ–‰
  • SAST๋ฅผ ๊ฐœ๋ฐœ ๋‹จ๊ณ„์— ๋ฐฐ์น˜ํ•˜์—ฌ ์ฝ”๋“œ ์ˆ˜์ • ๋น„์šฉ ์ตœ์†Œํ™” ๋ฐ Secure Coding ๊ฐ•์ œ
  • DAST๋ฅผ ๋นŒ๋“œ ๋ฐ ๋ฐฐํฌ ์ดํ›„ ๋‹จ๊ณ„์— ๋ฐฐ์น˜ํ•˜์—ฌ ๋Ÿฐํƒ€์ž„ ๋ณด์•ˆ ํ—ˆ์  ๋ณด์™„
  • SonarQube์™€ OWASP ZAP๋ฅผ CI/CD ํŒŒ์ดํ”„๋ผ์ธ์— ํ†ตํ•ฉํ•˜์—ฌ ์ž๋™ํ™”๋œ ๋ณด์•ˆ ๊ฒ€์ฆ ๋ฃจํ”„ ์„ค๊ณ„
  • ์ •์  ๋ถ„์„๊ณผ ๋™์  ๋ถ„์„์˜ ์ƒํ˜ธ ๋ณด์™„์  ๋ฐฐ์น˜๋ฅผ ํ†ตํ•œ ๋ณด์•ˆ ํƒ์ง€ ๋ฒ”์œ„ ๊ทน๋Œ€ํ™”

1. ์†Œ์Šค ์ฝ”๋“œ ๋ ˆ๋ฒจ์˜ ์ทจ์•ฝ์  ์ œ๊ฑฐ๋ฅผ ์œ„ํ•ด Git Push ๋‹จ๊ณ„์— SAST ์Šค์บ” ์ž๋™ํ™” ์ ์šฉ

2. ๋ฐฐํฌ ํ™˜๊ฒฝ์˜ ๋Ÿฐํƒ€์ž„ ๋ณด์•ˆ ๊ฒ€์ฆ์„ ์œ„ํ•ด Staging/Production ๋‹จ๊ณ„์— DAST ์Šค์บ” ๊ตฌ์„ฑ

3. ๊ฐœ๋ฐœ ์ƒ์‚ฐ์„ฑ์„ ์œ„ํ•ด SAST ์šฐ์„  ์ ์šฉ ํ›„ DAST๋กœ ์ตœ์ข… ๊ฒ€์ฆํ•˜๋Š” ๊ณ„์ธต์  ํŒŒ์ดํ”„๋ผ์ธ ์„ค๊ณ„

4. OWASP ZAP ๋“ฑ ์˜คํ”ˆ์†Œ์Šค ๋„๊ตฌ๋ฅผ ํ™œ์šฉํ•œ Baseline ์Šค์บ” ์ฒด๊ณ„ ๊ตฌ์ถ•

์›๋ฌธ ์ฝ๊ธฐ