Remember Lamb Chop’s Play-Along and that infamous “song that doesn’t end”? Probably not many of you do, so please enjoy the video!

Security testing is a bit like that — a tune that keeps looping no matter how often you hit “stop” and for good reason! Every new code change, every dependency update, and every emerging vulnerability means the work of keeping systems secure never truly ends.

Traditional penetration testing, while invaluable, can be time-intensive. It’s also expensive — few organizations can afford to have human testers working full-time, continuously probing their systems.

In RABET-V™, we deeply value the insight and intuition that human testers bring. But we also recognize that their expertise can be amplified through automation. By combining human-led security review with continuous, automated testing, we can achieve both breadth and depth of coverage.

Automated approaches

RABET-V supports continuous testing through both static and dynamic application security testing. These tools enable frequent testing — even with every new build — ensuring products remain secure amid constant software updates and evolving threats.

So how do these approaches actually work?

• Static Application Security Testing (SAST) analyzes codebases to identify vulnerabilities associated with insecure coding practices. Think of it as a powerful “clear-box” review — a deep introspection of the codebase before it’s ever deployed.
• Dynamic Application Security Testing (DAST), by contrast, behaves more like a simulated hacker. It probes the running application externally, without access to the underlying code. This “opaque-box” approach mirrors real-world attacks and is especially valuable for internet-facing components, which are subject to frequent attacks.

Lowering cost over time

So how do these tools work within the context of RABET-V? RABET-V runs SAST as part of its Architecture Review assessment. After that assessment, Registered Technology Providers (RTPs) retain access to these tools for 12 months as a part of the public listing service (renewable), allowing them to integrate scanning into their CI/CD pipelines. Because these are SaaS-based tools, testing can be performed at their desired frequency — as often as every build — without waiting for a human review cycle.

RABET-V doesn’t evaluate the results of these elective tests. However, the improved security posture has ripple effects when a product undergoes an iteration of the RABET-V process. Specifically, if RTPs remediate the issues identified by the automated tools before submission, their chance of a successful verification is greatly enhanced.

DAST is an optional extra and is made available for continuous testing. In the longer term, RABET-V will evaluate how to integrate this “light test” security testing within its risk-based approach to security testing.

SAST, DAST, and Software Composition Analysis (SCA) (covered in another blog post) form a toolbox worth tens of thousands of dollars in value-add.

RABET-V: Your partner in continuous improvement

Automated tools, when integrated into your ensemble, serve as a force multiplier in ensuring your product remains secure in the face of software updates and evolving threats.

The pairing of automated tools and human assessors provides technology providers with the most significant opportunity for success in ensuring the optimal security of their products. RABET-V combines these approaches through our organizational, architecture, and product verification assessments, providing tech providers with complementary access to the latest automated security scanning tools in between RABET-V iterations.

If you’d like to learn more about the RABET-V process, the automated scanning tools used, or the third-party assessors, please get in touch with us at team@rabetv.org and subscribe to our newsletter.

We won’t stop singing the praises of our continuous approach. The question is, will you join in?