Skill Profile

SAST/DAST

SonarQube, Semgrep, Snyk, OWASP ZAP: static and dynamic analysis

Security Application Security

Roles

where this skill appears

Levels

structured growth path

Mandatory requirements

the other 2 optional

Domain

Security

Group

Application Security

Last updated

3/17/2026

How to Use

Choose your current level and compare expectations. The items below show what to cover to advance to the next level.

What is Expected at Each Level

The table shows how skill depth grows from Junior to Principal. Click a row to see details.

Role	Required	Description
Application Security Engineer	Required	Understands basic SAST/DAST concepts. Follows security guidelines. Recognizes typical code vulnerabilities.
DevSecOps Engineer	Required	Runs SonarQube and Semgrep locally for static code analysis. Studies SAST reports, classifies vulnerabilities by severity. Configures basic DAST scan with OWASP ZAP against test application. Understands difference between SAST, DAST and IAST approaches to security testing.
Penetration Testing Engineer	Required	Understands basic SAST/DAST concepts. Follows security guidelines. Recognizes common vulnerabilities in code.
QA Security Engineer		Runs SAST/DAST tools: SonarQube for static analysis, ZAP for dynamic analysis. Reads reports, classifies findings. Distinguishes true positives from false positives.
Security Analyst	Required	Understands basic SAST/DAST concepts. Follows security guidelines. Recognizes common code vulnerabilities.

Role	Required	Description
Application Security Engineer	Required	Configures and runs SAST/DAST tools to identify vulnerabilities in application code and running services. Conducts security code reviews using static analysis findings as input. Triages scanner results, eliminates false positives, and tracks confirmed issues to resolution.
DevSecOps Engineer	Required	Integrates SonarQube and Semgrep into CI/CD pipelines with quality gates blocking merge on critical vulnerabilities. Configures OWASP ZAP in API scanning mode with OpenAPI specification. Writes custom Semgrep rules for project-specific vulnerability patterns.
Penetration Testing Engineer	Required	Uses DAST tools alongside manual penetration testing to discover runtime vulnerabilities. Validates SAST findings through exploitation to confirm real attack vectors. Integrates dynamic scanning into penetration testing workflows to maximize coverage of web application attack surfaces.
QA Security Engineer		Configures SAST/DAST pipeline: Semgrep/SonarQube rules customization, ZAP automated scan profiles, IAST integration. Tunes rules to reduce false positives. Prioritizes findings.
Security Analyst	Required	Analyzes SAST/DAST scan results to assess risk levels and prioritize remediation efforts. Correlates scanner findings with threat intelligence and known vulnerability databases. Generates actionable security reports from scanning data for development and management teams.

Role	Required	Description
Application Security Engineer	Required	Designs security solutions with SAST/DAST. Conducts threat modeling. Implements security practices in SDLC. Mentors the team.
DevSecOps Engineer	Required	Develops centralized SAST/DAST platform for all teams. Tunes SonarQube quality profiles, minimizing false positives to less than 10%. Introduces IAST (Contrast Security) for runtime analysis. Configures SAST and DAST result correlation for vulnerability prioritization.
Penetration Testing Engineer	Required	Designs advanced SAST/DAST testing strategies combining automated scanning with manual exploitation techniques. Conducts threat modeling to identify gaps in scanner coverage. Integrates SAST/DAST into CI/CD security gates with custom rule sets. Mentors team on interpreting and validating scanner results.
QA Security Engineer	Required	Designs SAST/DAST strategy: tool selection by technology stack, custom rules for business logic, finding correlation between SAST and DAST. Creates custom Semgrep/CodeQL rules.
Security Analyst	Required	Designs comprehensive SAST/DAST analytics frameworks for vulnerability trend analysis. Conducts threat modeling to map scanner coverage against real attack scenarios. Integrates scanning results into SIEM for continuous security monitoring. Mentors analysts on vulnerability classification and risk scoring.

Role	Required	Description
Application Security Engineer	Required	Defines organization-wide SAST/DAST strategy and tool selection standards. Establishes security scanning policies, quality gates, and remediation SLAs for development teams. Coordinates vulnerability response across products when critical scanner findings arise. Trains engineers on effective SAST/DAST adoption.
DevSecOps Engineer	Required	Defines AST (Application Security Testing) strategy with SonarQube Enterprise, Semgrep Pro, OWASP ZAP and Burp Suite. Manages AppSec engineering team. Builds SAST/DAST effectiveness metrics: detection time, false positive rate, coverage. Integrates results into Defect Dojo.
Penetration Testing Engineer	Required	Defines SAST/DAST integration strategy for penetration testing across all products. Establishes scanner validation policies and custom rule development standards. Coordinates offensive security efforts combining automated scanning with manual testing. Trains pentest engineers on advanced SAST/DAST usage.
QA Security Engineer	Required	Defines SAST/DAST standards: mandatory scanning gates, triage process, remediation SLA. Coordinates tooling between security and development. Evaluates tool effectiveness.
Security Analyst	Required	Defines SAST/DAST monitoring and reporting strategy across the organization. Establishes vulnerability management policies based on scanner data and risk classification. Coordinates cross-team remediation tracking for critical scanner findings. Trains security analysts on scan result analysis and prioritization.

Role	Required	Description
Application Security Engineer	Required	Defines enterprise SAST/DAST security testing architecture spanning all development platforms. Shapes scanning strategy for multi-cloud and microservice environments at scale. Coordinates with vendors on tool capabilities and compliance requirements. Drives SAST/DAST best practices adoption across the industry.
DevSecOps Engineer	Required	Designs corporate security testing architecture unifying SAST, DAST, IAST, SCA and fuzzing into a single pipeline. Defines standards for dozens of teams. Evaluates and introduces innovative approaches: AI-driven SAST, semantic code analysis, runtime protection.
Penetration Testing Engineer	Required	Defines enterprise offensive security strategy integrating SAST/DAST with manual penetration testing at scale. Shapes security testing architecture for complex distributed systems. Coordinates with tool vendors and regulatory bodies on scanning standards. Represents the organization in offensive security community.
QA Security Engineer	Required	Designs application security testing platform: integrated SAST/DAST/IAST/SCA, automated triage, vulnerability correlation. Defines organizational AppSec testing strategy.
Security Analyst	Required	Defines enterprise vulnerability intelligence strategy powered by SAST/DAST data across all business units. Shapes security analytics architecture integrating scanner output with threat intelligence platforms. Coordinates compliance reporting with regulatory bodies. Drives vulnerability management standards in the industry.

Junior 5 requirements

Application Security Engineer
Required

Understands basic SAST/DAST concepts. Follows security guidelines. Recognizes typical code vulnerabilities.
DevSecOps Engineer
Required

Runs SonarQube and Semgrep locally for static code analysis. Studies SAST reports, classifies vulnerabilities by severity. Configures basic DAST scan with OWASP ZAP against test application. Understands difference between SAST, DAST and IAST approaches to security testing.
Penetration Testing Engineer
Required

Understands basic SAST/DAST concepts. Follows security guidelines. Recognizes common vulnerabilities in code.

Middle 5 requirements

Application Security Engineer
Required

Configures and runs SAST/DAST tools to identify vulnerabilities in application code and running services. Conducts security code reviews using static analysis findings as input. Triages scanner results, eliminates false positives, and tracks confirmed issues to resolution.
DevSecOps Engineer
Required

Integrates SonarQube and Semgrep into CI/CD pipelines with quality gates blocking merge on critical vulnerabilities. Configures OWASP ZAP in API scanning mode with OpenAPI specification. Writes custom Semgrep rules for project-specific vulnerability patterns.
Penetration Testing Engineer
Required

Uses DAST tools alongside manual penetration testing to discover runtime vulnerabilities. Validates SAST findings through exploitation to confirm real attack vectors. Integrates dynamic scanning into penetration testing workflows to maximize coverage of web application attack surfaces.

Senior 5 requirements

Application Security Engineer
Required

Designs security solutions with SAST/DAST. Conducts threat modeling. Implements security practices in SDLC. Mentors the team.
DevSecOps Engineer
Required

Develops centralized SAST/DAST platform for all teams. Tunes SonarQube quality profiles, minimizing false positives to less than 10%. Introduces IAST (Contrast Security) for runtime analysis. Configures SAST and DAST result correlation for vulnerability prioritization.
Penetration Testing Engineer
Required

Designs advanced SAST/DAST testing strategies combining automated scanning with manual exploitation techniques. Conducts threat modeling to identify gaps in scanner coverage. Integrates SAST/DAST into CI/CD security gates with custom rule sets. Mentors team on interpreting and validating scanner results.

Lead / Staff 5 requirements

Application Security Engineer
Required

Defines organization-wide SAST/DAST strategy and tool selection standards. Establishes security scanning policies, quality gates, and remediation SLAs for development teams. Coordinates vulnerability response across products when critical scanner findings arise. Trains engineers on effective SAST/DAST adoption.
DevSecOps Engineer
Required

Defines AST (Application Security Testing) strategy with SonarQube Enterprise, Semgrep Pro, OWASP ZAP and Burp Suite. Manages AppSec engineering team. Builds SAST/DAST effectiveness metrics: detection time, false positive rate, coverage. Integrates results into Defect Dojo.
Penetration Testing Engineer
Required

Defines SAST/DAST integration strategy for penetration testing across all products. Establishes scanner validation policies and custom rule development standards. Coordinates offensive security efforts combining automated scanning with manual testing. Trains pentest engineers on advanced SAST/DAST usage.

Principal 5 requirements

Application Security Engineer
Required

Defines enterprise SAST/DAST security testing architecture spanning all development platforms. Shapes scanning strategy for multi-cloud and microservice environments at scale. Coordinates with vendors on tool capabilities and compliance requirements. Drives SAST/DAST best practices adoption across the industry.
DevSecOps Engineer
Required

Designs corporate security testing architecture unifying SAST, DAST, IAST, SCA and fuzzing into a single pipeline. Defines standards for dozens of teams. Evaluates and introduces innovative approaches: AI-driven SAST, semantic code analysis, runtime protection.
Penetration Testing Engineer
Required

Defines enterprise offensive security strategy integrating SAST/DAST with manual penetration testing at scale. Shapes security testing architecture for complex distributed systems. Coordinates with tool vendors and regulatory bodies on scanning standards. Represents the organization in offensive security community.

Community

👁 Watch ✏️ Suggest Change

Loading comments...