Open
Description
Looking at the default cards I think we seem to be perpetuating the old tack security on at then end approach by not even having DevSecOps steps in the default set.
This is whole reason the phrase DevSecOps was coined.
Would it not make sense to add the following cards or something similar?
Heading: Static Application Security Testing (SAST)
Label: Security
Step Type: DevSecOps
Definition: Run a tool that identifies vulnerabilites in your source code, third party dependencies, container images or infrastructure as code.
Heading: Dynamic Application Security Testing (DAST)
Label: Security
Step Type: DevSecOps
Definition: Run a tool that identifies vulnerabilites in your running web application. The tool can check for vulnerabilities like cross-site scripting, SQL injection, API security, etc.