![[Security Architecture] Vulnerability Assessment](/uploads/2026/04/arch-intro-cat-security.png)
About this article
As the eighth installment (final) of the âSecurity Architectureâ category in the series âArchitecture Crash Course for the Generative-AI Era,â this article explains vulnerability assessment.
Vulnerability assessment is not a pre-release ceremony but continuous operation. The era of annual pentests is over - modern standard is automated inspection on every push built into CI/CD. This article covers the differences between SAST/DAST/SCA/IAST/pentests, CI/CD integration, and countermeasures against gaps in AI-generated code.
What is vulnerability assessment in the first place
Think of a health checkup. Even without symptoms, you get annual blood tests and X-rays to catch signs of disease early. Neglecting checkups because âI feel fineâ can mean itâs too late by the time you notice.
Vulnerability assessment is a health checkup for your system. Itâs the practice of inspecting source code, dependency libraries, running applications, and network configurations with automated tools and expert eyes, finding and fixing weaknesses before attackers exploit them.
Without vulnerability assessment, known vulnerabilities remain unpatched in production. Attackers check public vulnerability databases and automate attacks within hours â âwe didnât knowâ is no excuse.
Why vulnerability assessment is needed
Gaps mix into AI-written code
AI-driven dev raised productivity, but AI-written code is often security-naive, and human-only review canât keep up. Building in automated assessment to let machines watch machines is the modern premise.
Dependency vulnerabilities are surging
Modern apps depend on hundreds to thousands of libraries. Incidents like Log4Shell (the December 2021 Log4j zero-day) can happen tomorrow, and youâll be hit by gaps in dependencies even with perfect own code.
Required by compliance
Certifications like SOC 2, ISMS (information security management system based on ISO 27001), PCI DSS require continuous vulnerability management. Not just form - the implementation record (when, what was inspected, how it was handled) becomes the audit target.
Main assessment methods
Vulnerability assessment splits into multiple methods by âwhat to investigate, how.â None covers everything alone, so combination use is the premise.
| Method | Target | Timing |
|---|---|---|
| SAST | Source code (static) | At commit, in CI |
| DAST | Running app (dynamic) | Staging, production |
| SCA | Dependencies | At commit, daily |
| IAST | Inside running app | During test execution |
| Penetration testing | Comprehensive (manual) | 1-2x/year, before release |
| Bug bounty | External hunters | Continuous |
SAST - find code gaps via static analysis
SAST reads source code and looks for vulnerabilities without running it. Targets things detectable from code patterns - SQL injection, XSS (Cross-Site Scripting), hardcoded secrets. Modern standard usage: run on every push in CI, comment on PRs.
| Pros | Cons |
|---|---|
| Detect at commit time | Many false positives |
| Cover entire codebase | Misses runtime-only issues |
| Devs can fix immediately | Language/framework-dependent |
| Low learning cost | Canât detect config mistakes |
Representative tools: Semgrep, Snyk Code, SonarQube, GitHub Code Scanning (CodeQL).
An area of high âjust put it inâ value. False positives appear, but preventing one critical gap pays off.
DAST - try attacks on the running app
DAST sends attack requests to actually-running apps and watches behavior. Common to run periodically against staging - the strength is checking behavior in the actual environment.
| Pros | Cons |
|---|---|
| Detect gaps in actual env | Slightly low coverage |
| Find config mistakes too | Long scan time |
| Language-independent | Test environment needed |
| Black-box possible | Login-required pages awkward |
Representative tools: OWASP ZAP, Burp Suite, StackHawk, AWS Inspector.
DAST is suited for staging. Run carefully on production, always with prior approval.
SCA - watch over dependency vulnerabilities
SCA checks whether dependencies have known vulnerabilities (CVE, Common Vulnerabilities and Exposures). Most vulnerabilities since 2024 originate in libraries, making SCA so important you could say SCA has higher ROI than self-written code.
| Pros | Cons |
|---|---|
| Detect vulnerable dependencies instantly | Updates may not catch up |
| Auto-fix PRs available | Need to inspect transitive deps |
| Detect license violations too | Old libraries get stuck |
| Extremely easy to deploy | Few false positives |
Representative tools: Dependabot (GitHub standard), Renovate, Snyk Open Source, Trivy.
The top-priority assessment to introduce. Dependabot is enabled with one config file.
The Equifax 2017 incident resulted from leaving an Apache Struts 2 patch (CVE-2017-5638) unpatched for 2 months, leaking about 147M peopleâs personal info, with settlements reaching about $700M (details in appendix âCritical Incident Casesâ). It was a case showing the reality that even with not one line of own code vulnerable, one borrowed part can tilt a company - the case that decided SCAâs value.
IAST and RASP - monitor internals during execution
IAST is a method where an in-app agent monitors behavior during test execution, combining the strengths of SAST and DAST. RASP operates in production to detect and auto-block attacks - positioned like an evolution of WAF.
| Method | Use case | Deployment difficulty |
|---|---|---|
| IAST | Precise detection during testing | Mid (agent-embedded) |
| RASP | Active defense in production | High (perf impact) |
Both need agents embedded in apps, with high deployment cost, but adoption spreads in serious large-enterprise operations.
Penetration testing - comprehensive assessment from attacker view
A comprehensive assessment where specialists actually try attacks from the attackerâs view. The biggest value is finding combined gaps invisible to automated tools (business-logic flaws, authorization bugs, design issues), with going rates of pre-release, on major refactor, or annual periodic.
| Type | Content | Cost target |
|---|---|---|
| External black box | Attack from public face | $5k-20k |
| Internal (authenticated) | Attack after login | $10k-50k |
| Red team | Comprehensive org-wide drill | $50k+ |
| Source-included white box | Thorough check with code disclosed | $30k+ |
For vendor selection, presence of PCI QSA (PCI-certified security auditor) and OSCP (Offensive Security Certified Professional) holders is a guideline.
SBOM and supply chain
SBOM is a list of all dependency components in an app. Since 2024, mandating has progressed in US government procurement, etc., and SBOM submission is becoming a transaction condition. Not just a tech requirement - a concept upgraded to a commercial requirement.
| Use case | Content |
|---|---|
| Impact investigation on vulnerability | Instantly identify if Log4Shell is in your org |
| Procurement/audit response | Submit to customers/regulators |
| License management | Grasp things like GPL inclusion |
| Supply-chain tracking | Record of âpartsâ origins |
SLSA (Supply-chain Levels for Software Artifacts) is a framework that levels build-pipeline reliability, becoming a wheel paired with SBOM in supply-chain security.
Decision criterion 1: scale and phase
Assessment thickness is decided by public scope and data sensitivity.
| Phase | Minimum to do |
|---|---|
| MVP / internal trial | Dependabot + Semgrep free tier |
| B2C public | Above + DAST + annual pentest |
| B2B SaaS | Above + SBOM + SOC 2 continuous operation |
| Finance/medical/public | Above + quarterly pentest + IAST + SLSA support |
At MVP stage, putting in IAST/RASP is excessive, but Dependabot is now common sense to put in unconditionally from day one.
Decision criterion 2: dev regime
Continuous vulnerability-assessment operation requires a regime. âTools installed but no oneâs lookingâ is meaningless.
| Regime | Possible operation |
|---|---|
| Small (~5) | Auto tools only, weekly review |
| Mid (10-30) | 1 dedicated security personnel |
| Large (30+) | Standing security team |
| Enterprise | CSIRT, SOC, red team |
The modern current is the DevSecOps thinking (uniting development, security, operations) where developers hold first-line responsibility for security. The model âsecurity team looks at it laterâ canât keep speed.
How to choose by case
Startup / personal dev
Dependabot + GitHub Code Scanning (CodeQL free tier) + OSS Semgrep. This alone gets minimum detection. Pentest when major customers demand it; SBOM is enough with npm audit or pip-audit.
B2B SaaS (growth)
Unify SAST/SCA with Snyk or GitHub Advanced Security, DAST with StackHawk, annual pentest. SOC 2 continuous monitoring becomes required, and the operation of leaving vulnerability-management records is set up. SBOM submission to customers in CycloneDX format is standard.
Enterprise / finance
Commercial SAST (Checkmarx, Veracode) + DAST (Burp Pro) + IAST (Contrast Security) + RASP. Quarterly pentests + annual red team drills. SBOM auto-generated on all builds, aim for SLSA Level 3+. CSIRT and SOC standing.
Vulnerability-response SLAs and phased practical matrix for assessment
Vulnerability assessment is decided by post-discovery response speed. Below are industry-standard SLAs.
| Severity | Response deadline | Notification | Practical motion |
|---|---|---|---|
| Critical (RCE etc.) | Within 72 hours | Instant PagerDuty + Slack | Stop all work to respond |
| High | Within 1 week | Slack + create PR | Respond next sprint |
| Medium | Within 1 month | PR + Issue | Respond on plan |
| Low | Within 3 months | Issue | Respond on regular maintenance |
For assessment-integration timing, SCA (Dependabot) is enabled from day one, SAST is integrated into CI on PR, DAST runs weekly in staging, SBOM is auto-generated on all builds, and pentests are at least annual (regulated industries quarterly) - the practical rule. As shown by Equifax 2017, leaving Critical patches for 2 months becomes company-survival-level damage.
Critical is within 72 hours - the rule. Patch delays link directly to company-survival risk.
Vulnerability-assessment-operation pitfalls and forbidden moves
Typical accidents in assessment operation. All have the structure of âinstalledâ but ânot operatingâ.
| Forbidden move | Why itâs bad |
|---|---|
| Enable Dependabot and leave alerts | 500 lined up turns to wallpaper, real Critical buried. SLA + on-call rotation required |
| Disable to ignore SAST false positives | Rule tuning is the right answer. Disabling defeats the purpose |
| Only annual pentests with no continuous assessment | Dependency vulnerabilities born daily. CI-integrated continuous assessment required |
| Donât seal vulnerabilities because WAF detects | WAF is insurance, root countermeasure is parameterized queries on code side |
| Donât generate SBOMs | Incidents like Log4Shell (December 2021) leave you in âdonât know if affectedâ |
| Leave vulnerability response to the security team | DevSecOps - developers holding first-line responsibility is the modern style |
| No zero-day playbook | Decision needed within 24 hours. Pre-prep required |
| No AI security assessment (Garak / PromptFoo) | Attacks against AI itself (prompt injection) unguarded |
| Donât enable Secret Scanning | Git accidental commits happen daily, instant leak without detection |
Ignore npm audit / pip-audit warnings | Carry known vulnerabilities into production |
| âOnce before release is enoughâ â postponing | Dependency vulnerabilities are born daily; CI-integrated continuous assessment is the premise |
| âWith WAF, vulnerability assessment is unneededâ â overconfidence | WAF only blocks detectable attacks; root countermeasure is code-side |
| âWith SAST, DAST is unneededâ â using only one | SAST sees code gaps, DAST sees config gaps. Different roles, both needed |
| âToo many false positivesâ â disabling tools | Rule tuning is the right answer; disabling defeats the purpose |
| âWithout paid tools, itâs meaninglessâ â postponing adoption | Dependabot/Semgrep/OWASP ZAP OSS combo covers 70%; start with free tier |
The September 2017 Equifax info-leak (Apache Struts 2 CVE-2017-5638 patch left for 2 months, 147M leaked, settlements about $700M), the December 2021 Log4Shell (Java apps worldwide hit zero-day overnight, companies in droves not knowing if affected without SBOM) - cases where âdependency gapsâ become lethal are repeated.
Vulnerability assessment is premised on operations of building into CI/CD for daily inspection. Annual pentest alone canât seal gaps.
AI decision axes
| AI-era favorable | AI-era unfavorable |
|---|---|
| CI/CD-integrated automated assessment | Manual annual assessment only |
| SBOM auto-generation | Vague dependency management |
| Autofix-supporting tools | Detection only, neglected |
| Type-safe languages | Dynamic-language ambiguity |
- Enable Dependabot from day one â SCA has the highest ROI
- Integrate SAST in CI â automated inspection on every push is the modern minimum
- Run DAST weekly in staging â seal gaps from config mistakes
- Auto-generate SBOM and define vulnerability SLA â becoming a commercial requirement
Why SAST is essential for detecting vulnerabilities in AI-generated code
As AI-written code volume increases, the probability of missing vulnerabilities with human review alone rises. AI especially prioritizes âmaking it work,â making insufficient input validation and omitted SQL parameter binding likely to slip in.
Embedding SAST tools like Semgrep and CodeQL in CI for automatic checking on every push is the minimum bar for AI-enabled development. An auto-fix loop where SAST-detected issues are handed back to AI for fixing â re-checked by SAST is also becoming practical.
SBOM makes AI-generated code dependencies visible
When delegating code generation to AI, dependencies on libraries humans arenât aware of may be added. Cases where AI decides âlodash is handy for thisâ and instructs npm install, or adds pip install requests in Python.
With SBOM auto-generation mechanisms (CycloneDX, Syft, etc.), newly added dependency vulnerabilities can be detected immediately. In the AI era, dependency change frequency increases, making SBOM + SCA (Dependabot/Snyk) real-time monitoring even more important.
Authorâs note - cases where both âpatch delayâ and âzero-dayâ became lethal
Cases where the cost of skimping vulnerability assessment tilted companies are perennial security-industry talking points.
The Equifax 2017 info-leak (Apache Struts 2 CVE-2017-5638 patch left for 2 months â 147M leaked â settlements about $700M) is the case that decided SCAâs (dependency assessment) value (details in appendix âCritical Incident Casesâ).
Log4Shell 2021 (Log4jâs CVE-2021-44228) overnight exposed Java-built apps worldwide to a zero-day, frequently leaving organizations unable to even know if affected without SBOM - the trigger for supply-chain security (SBOM/SLSA) being baked into contract conditions.
Both left the lesson that âdependency gapsâ are lethal, and own-code SAST/DAST alone canât fully defend. The modern minimum line is inspecting daily-updated vulnerabilities daily. Weâve entered an era where the operation of humans looking once a year no longer holds.
What to decide - what is your projectâs answer?
For each of the following, try to articulate your projectâs answer in 1-2 sentences. Starting work with these vague always invites later questions like âwhy did we decide this again?â
- SCA introduction (Dependabot / Renovate / Snyk)
- SAST introduction (Semgrep / CodeQL / SonarQube)
- DAST introduction (OWASP ZAP / StackHawk)
- SBOM-generation automation
- Pentest frequency and scope
- Vulnerability-response SLA (within how many days for Critical)
- AI security inspection (when LLM is used)
Related Articles
https://en.senkohome.com/arch-intro-security-network/ https://en.senkohome.com/arch-intro-security-secrets/ https://en.senkohome.com/arch-intro-security-auth/
Summary
This article covered vulnerability assessment, including the use of SAST/DAST/SCA/IAST/pentests/SBOM, response SLAs, and new AI-era attack surfaces.
Enable Dependabot from day one, integrate SAST in CI, run DAST weekly in staging, auto-generate SBOM and define SLA. That is the practical answer for vulnerability assessment in 2026.
And this was the final installment of the âSecurity Architectureâ category. Next time weâll start a new category (Development and Operations Design).
I hope youâll read the next article as well.
đ Series: Architecture Crash Course for the Generative-AI Era (53/89)