What is Static Application Security Testing (SAST)?
Static Application Security Testing is also known as static analysis or white box testing; it is an Application Security testing methodology that doesn't require running an application. It scans the Source, binaries, or byte code to identify vulnerabilities in the development phase of the software development lifecycle and provides immediate feedback to developers by integrating it into their IDEs and CI (Continuous Integration) tools like Jenkins, GitLab, etc. SAST helps developers to identify the root cause of the vulnerabilities by pointing out the vulnerable lines of code, and it also provides source and sink of data to help developers to analyze and remediate the vulnerabilities early in the software development lifecycle
Working/Process
Now let's see how Static Application Security Testing or Static analysis works.
Static Application Security Testing generally conduct in 4 Phases.
1. Compilation of source code
In this stage, semantic analysis takes place to tokenize and examine syntax and identifiers and resolve the types of code.
2. Model Extraction
In this stage, the SAST tool converts the compiled code into various models (Symbol table, Call graph, Control flow graph, abstract syntax tree, and proprietary models by vendors) that are further used by the tool to perform various analyses.
3. Analysis
In this stage, the SAST tool performs various types of analysis.
a. Pattern Matching: Identify vulnerabilities using the number of Regex rules
b. Data Flow analysis: Tracks the data flow through the application to determine if the input is validated before use. Determines whether data coming from insecure sources such as a file, the network, or user input is cleansed before consumption
c. Control Flow Analysis: Checks the order of the program operations to detect potentially dangerous sequences such as race conditions, secure cookie transmission failure, uninitiated variables, or misconfigurations of utilities before use.
4. Result Publication
Once all the analysis is complete, results are published.
Stages to Conduct SAST
The effective way to conduct SAST in 4 Stages
1. Pre-Commit
Pre-Commit SAST allows us to find the common securities issues before the developers commit the code in the source code repository. This is done by integrating IDE SAST plugins offered by various SAST vendors and helps developers to fix common security issues while writing the code.
2. During Commit
Commit time SAST has triggered automatically once the developer commits the code in the source code repository. It allows us to verify the committed code is compliable or buildable and check for critical and high issues with the limited ruleset.
3. During Build
Build Time SAST has triggered automatically once the build is triggered, and Build Time SAST is performed by creating various models (Symbol Table, Call Graph, Control Flow Graph, Abstract syntax tree, and Proprietary model) to perform various SAST analyses (Pattern Matching, Control Flow Analysis, Data Flow Analysis, etc..) with all the ruleset to conduct more rigorous and compressive testing and also break the build if Critical or high issues are reported (Build break rules can be changed)
4. Complete Application
All the above stages perform SAST only for a specific piece of application. Still, it is essential to run SAST for complete application code to ensure that the application codebase does not contain any security issues. It also tells us the overall security health of the application codebase and ensures that the complete application codebase is covered for SAST.
Complete Application SAST takes much more time than the above SAST stage, so it is better to run the SAST on the entire application codebase on a scheduled basis in an automated fashion.
Pros and Cons
Pros
- Identify security issues early in the Software development lifecycle and provide immediate feedback on the Developer's IDEs or during the build.
- Scans millions of lines of code to identify critical vulnerabilities like Bufferover flow, SQL injection, command injection, hardcoded secret, etc., within minutes.
- Show the exact location of the vulnerabilities by pointing out vulnerable lines of code, including source and sink, to help developers to analyze and remediate the issues quickly.
- It does not require any running application
Cons
- Reports the high number of false positive results in the first scan
- Since SAST scans the source code, so it is language dependent, and for popular languages like Java, .NET, and javascript there are number of SAST solutions are available, but for less popular languages like Nim and Rust, options are minimal.
- SAST scans the source code, so it is not capable of identifying dynamic security vulnerabilities like configurations error, DoS, etc.
Tags:
SAST