secure-development-guide

Static application security testing (SAST)

Introduction

Also known as static analysis, this method works by running specialized software called static analyzers on the application source code. Static Analyzers use an internal model of the execution process of the application and based on in-built rules they are able to detect anomalies with the source code. Some of these issues can result in security flaws. A lot of common vulnerability classes can be detected by using static analyzers.

Why do SAST?

SAST process and workflow

When to do SAST

SAST is more useful when done very early in the pipeline. Some web/cloud-based SAST tools run their scanner as soon as code is committed to a repository. This allows developers to immediately fix the issue at hand. Some even run it during the CI/CD pipeline and block the commit if anything serious is found. Doing it later especially after QE testing often results in wasted resources since the application will need to be patched and QE run again on it.

SAST tools

While this document is not about discussing SAST tools. There are some important points which should be considered when making a decision:

Analyzing the output

Different SAST tools provide output in different ways either as log files, XML or sometimes even JSON. In the end, the purpose of this exercise is to find flaws and fix them, therefore looking at the output appropriately is most important. Various automation approaches can be used to parse longer log files. Also, it does not hurt to get multiple people to see them, sometimes developers take their own code for granted and some mistakes can only be spotted by others.

Several SAST tools integrated with CI/CD pipelines show verbose errors during the commit process and they can be mitigated pre-build. The picture below shows a typical SAST warning from a GitHub Scanning workflow:

GitHub SAST scan

Closing words

One important aspect of dealing with SAST scans is the rate of “false positives”. Though SAST tools are getting better with time, sometimes because of the complexity of the codebase or even a particular language, there are always false positives (or even sometimes false negatives). A proper method of dealing with them and avoiding them in future is a key to success in this process.

Overall, SAST is an important process to catch flaws early in the lifecylce and when properly integrated with the pipeline can serve as an important tool for improving the overall security of any project.