| 3 min read
SAST (Static Application Security Testing) is a type of white box test in which a set of technologies is used to analyze the source code, byte code or the application binaries in order to identify and reveal known security vulnerabilities that can be exploited by malicious users.
A bit of history
In his 1976 paper, "Design and Code Inspections to Reduce Errors in Program Development", Michael E. Fagan explained how to do a code review and, thus, created the world's first code review process. Fagan inspection is a formal execution process that involves several phases and participants and detects defects in software development by validating predefined entry and exit criteria.
Fagan Flow (image taken fromhere)
In 1992, in his article “Experience with Fagan’s Inspection Method,” E.P. Doolan proposed using software that would keep a database of previously detected errors and automatically scan the code for them. This is what gave rise to the use of automated code review tools.
Software development Lifecycle (SDLC)
SDLC is a series of stages that must be followed for the development of a specific software product. These stages ensure that the quality, functionality, and objectives of the application meet customer expectations and development standards.
Software development lifecycle (image taken from) here
From the early stages of the SDLC, it is important to use testing methodologies that quickly identify security vulnerabilities in order to remediate them before the application’s release. Multiple known vulnerabilities can be found on the following websites:
OWASP Top 10 from 2013 to 2017 (image taken from) here
By applying SAST, we can detect and avoid most security vulnerabilities listed on the above websites.
How does SAST work?
SAST can be applied manually or through the use of automated tools.
Manual testing is done by a team of testers responsible for reviewing the code for known security vulnerabilities. Once vulnerabilities are found, they are reported to the development team to be solved. Manual testing includes several stages:
-
Synchronization: This stage includes receiving the application from the developers and a complete explanation of what it does and how it does it.
-
Review: In this stage, the testing team takes the source code and analyzes each line, method, class, and file for security vulnerabilities.
-
Reporting: At this stage, false positives and irrelevant information are eliminated, and reports of findings are created and delivered to project leaders responsible for communicating with developers, who then mitigate or patch the vulnerabilities.
Example of a manual test finding report (image taken from) here
Many tools allow us to perform automated code analysis and provide us with reports of the vulnerabilities discovered during scanning. These flexible tools can be integrated with different development environments, including Waterfall, continuous integration/continuous deployment (CI/CD), Agile/DevOps and repositories, and even with other testing tools.
These types of tools use sophisticated functions such as data flow analysis, control flow analysis, and pattern recognition to identify potential security vulnerabilities. The result is that vulnerabilities are reported sooner, especially in complex projects or projects with too many lines of code.
Example of automated test finding report (image taken from) here
Reports should always be checked by experts because automated tools tend to notify large numbers of false positives should be discarded to know the actual risks of an application.
As Synopsys says "There are six simple steps needed to perform SAST efficiently in organizations that have a very large number of applications built on different languages, frameworks, and platforms."
-
Choose an automated tool capable of performing source code reviews of apps written in the programming languages you employ.
-
Manage licensing requirements, set up access controls, and organize the infrastructure needed to deploy the tool.
-
Tailor the tool's scope, add or remove verification requirements according to your organization's needs, integrate the tool into your development environment and link it to a platform that allows you to track its results and reports.
-
Prioritize your applications according to their value and risks and perform scans on them with the tool. Continue these assessments throughout the evolution of your software.
-
Analyze the results obtained by the tool and discard false positives. Prioritize vulnerabilities according to the risk they represent and carry out their remediation.
-
Keep your teams trained on the proper use of the tool within your SDLC.
Benefits
-
SAST can be applied in the early stages of the SDLC, as it looks for vulnerabilities in the code before it is compiled. As long as there is remediation, this can help ensure that many security vulnerabilities do not accumulate in the application just before it is released.
-
Remediating vulnerabilities identified with SAST from the early stages of the SDLC means lower costs in terms of time and money compared to late detection and remediation.
-
SAST is flexible and can be adapted to any type of project.
-
SAST can be fully integrated with CI/CD, Agile and DevOps environments (DevSecOps).
Conclusions
-
Security testing should always be performed on applications to ensure that they are able to maintain the confidentiality, integrity and availability of information.
-
Perform continuous reviews of applications. Security tests should never be performed only once.
-
Using SAST helps programmers learn or reinforce secure coding standards and practices.
Recommended blog posts
You might be interested in the following related posts.
