Tingginya prevalensi kerentanan pada aplikasi web di sektor e-commerce, perbankan, dan korporasi dengan lebih dari 85 persen aplikasi rentan terhadap ancaman siber, menuntut metode pengujian keamanan yang efektif dan otomatisasi respons dalam siklus DevOps. Namun, integrasi SAST dan DAST sering mengalami inkonsistensi yang menghambat deteksi dan eskalasi kerentanan secara optimal. Selain itu, implementasi SOAR masih kompleks dan minim panduan terstruktur untuk mendukung paradigma shift-left security. Penelitian ini bertujuan mengevaluasi SAST/DAST, menilai kinerja SOAR dalam DevOps, serta menyusun panduan komprehensif untuk integrasi dan pengujian keamanan. Hasil menunjukkan SAST dan DAST saling melengkapi dengan tools seperti CodeQL, Trivy, Semgrep, dan OWASP ZAP yang efektif pada aspek berbeda, sementara SOAR, khususnya platform TheHive, meningkatkan kecepatan dan akurasi eskalasi insiden secara otomatis. Panduan yang disusun untuk mendukung adopsi pendekatan keamanan yang lebih proaktif dan terintegrasi, memperkuat pengelolaan risiko dan kualitas aplikasi web secara berkelanjutan.

This study addresses the high prevalence of vulnerabilities in web applications across the e-commerce, banking, and corporate sectors, where more than 85 percent of applications are susceptible to cyber threats. This situation necessitates the implementation of effective security testing methods and automated response systems within the DevOps lifecycle. However, the integration of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) often encounters inconsistencies that hinder optimal vulnerability detection and escalation. Furthermore, the deployment of Security Orchestration, Automation, and Response (SOAR) solutions remains complex and is challenged by a lack of structured guidelines supporting the Shift-Left Security paradigm. This research aims to evaluate the effectiveness of SAST and DAST tools, assess SOAR performance in DevOps environments, and develop comprehensive guidelines for security integration and testing. The findings indicate that SAST and DAST complement each other effectively, with tools such as CodeQL, Trivy, Semgrep, and OWASP ZAP excelling in different aspects of vulnerability detection, while SOAR platforms—particularly TheHive—enhance the speed and accuracy of automated incident escalation. The guidelines produced are intended to facilitate the adoption of a more proactive and integrated security approach, thereby strengthening risk management and improving the sustainable quality of web applications.

Kata Kunci : Kerentanan Web, SAST, DAST, SOAR, Shift-Left Security