ūüďÖ Webinar - Oct 5, 11AM EDT - DevOps backups vs. ransomware
Save my spot!Save my spot!
SAST

What is SAST?

SAST stands for Static Application Security Testing. To make things simple, SAST tools are cyber security software automating source code analysis.

The goal is to screen your code to identify missing or incorrectly implemented security controls. The SAST software will then create a master list of these security controls and evaluate how well they are implemented.

SAST performs without having to run the program, so it must be syntactically aware of the code and the program's inner systems, including everything from language, dependencies, method calls, and execution order. The code must be thoroughly scanned and evaluated against a database of known vulnerabilities.

How much of our source code is reviewed? Well, the key feature of a SAST is that it reviews the source code, so its analysis can take place ahead of committing it into the main Git project branch. This way of moving security testing sooner in the development process is also called Shift Left security testing. The result is better security outcomes compared to tackling vulnerabilities later in the development cycle.

What is it useful for? It can protect against the majority of the OWASP TOP 10 web application vulnerabilities, such as memory leaks, cross-site scripting (XSS), SQL injection, authentication, and access control misconfigurations.  SAST tools are frequently found directly integrated into modern IDEs or distributed as plugins. The closer it will be to source code, the quicker the feedback loop for developers and the simpler it'll be to remediate.

This is one of the main reasons SAST is often appreciated by tech leads and why there are so many different solutions available since this tool must be very precisely tuned to the stack it is used on.

---

What are the security controls that a SAST tool will perform?

  • Check that all data sent to and received from outside the trust zone are handled securely
  • Check that the cryptographic routines are implemented securely (encryption, hashing, ..)
  • Check how errors and security loggings are handled
  • Check that sensitive data are handled safely
  • Check that authentication is secure
  • Check that authorization is secure
  • Check for anti-brute-force measures (Anti-automation)

---

What will a SAST tool feedback look like?

The power of SAST lies in its precision, it will tell you exactly which part of the source code needs to be adapted in order to ensure the highest security of the application. You can expect features like :

  • Location of security control that did not pass the test
  • Help in remediation with clear action to solve the problem. Some SAST software let you even add custom remediation which maps to your orgs policy and coding guideline
  • Best practices snippet, to show the developer a great practical example on how to fix a specific issue.