What to Look For When Choosing a Static Application Security Testing (SAST) Solution.
If you are involved in securing the applications your organization develops, there is no doubt that Static Application Security Testing (SAST) solutions are an important part of a comprehensive application security strategy. SAST secures software, supports businesses more securely, lowers costs, reduces risk, and speeds up time to develop, ship, and deploy critical applications.
SAST scans code early during development, so your AppSec team won’t be rushing to fix unexpected vulnerabilities right before the big launch is planned. You’ll avoid surprises and rollout delays without inadvertently releasing risky software to customers — or into production.
But if you think of SAST as part of the larger AppSec platform, it’s important for those who want it divert security everywhere maybe in the software development life cycle (SDLC), some SAST solutions outperform others.
Knowing what to focus on
With so many players in the market, sometimes making competing claims, it can be confusing to know what to look for when choosing a SAST solution. It is important to understand what is behind each claim and see if it is true.
Sometimes, the solution an organization initially used was not the right solution as the organization grew or when another team started using the solution.
Therefore, the real question is, “What SAST solution is best for my organization?”
What to look for in a SAST solution
Customize with your AppSec program
A comprehensive application security platform lets you simplify security — in applicative code, open source dependencies, supply chains, IaC, APIs, containers, and more — all from a single scan. The platform delivers fast, correlated and accurate results to accelerate repairs.
When looking for a SAST solution, if it is part of a unified AppSec platform, it will provide the best value for securing modern applications. The complete platform should provide centralized management of SAST, SCA, SCS, API security, DAST, IAC security, and container security.
The platform must be able to grow with you as your needs change. When comparing a platform-based approach to AppSec, ensure that it can correlate scan results across different scanning engines so that you can get an overall risk assessment across projects and applications, instead of trying to manually collect results from multiple stand-alone AST solutions.
Flexibility is very important
No application is the same, and different stakeholders — such as CISOs, application security teams, and developers — have unique needs.
Sometimes they need to get an in-app risk overview and “scan broadly”, while other times they need to “scan deeper” into a specific part of the app or explore highly specialized risks.
Have the flexibility to scan deep and scan broadly covering all use cases. This provides flexibility so that organizations can standardize on a single platform that covers all use cases.
Presets (also known as rule sets) are ready-to-use sets of scan rules that can be applied to a variety of scans. SAST solutions should be pre-packaged with various presets to support key use cases, including getting a “big picture” overview of their code’s risks and vulnerabilities, as well as ensuring regulatory compliance.
Sometimes, no matter how extensive, the prepackaged rule set isn’t enough, and an organization wants to edit or create a custom rule set. This helps improve accuracy and minimizes false positives.
Accuracy is important in SAST
For a SAST solution to be useful, it must be accurate.
When talking about SAST, “false positives” — that is, flagged items that are not a true risk — are often mentioned. The way out is flexible presets and customized queries or rules.
But more worrisome are “false negatives” — that is, risks in your code that your SAST scanner misses and doesn’t identify. With a false negative, you unknowingly release vulnerabilities without even having a chance to explore and fix them. You fly blind.
One way to reduce the possibility of false negatives is to use an “application-centric” solution that understands how your application works. This solution can track the flow of data through code and execute code with symbolic input, allowing it to explore all paths through the code to find exploitable paths. While relying on regex-based tools may sound convenient — after all, they’re lighter and faster — it won’t be after your company makes headlines for vulnerable code released in the wild.
Another solution is to use the right profile for your codebase and create custom queries when needed. For example, if an organization has developed its own custom cleaner, notifying SAST about this cleaner by customizing the query can eliminate false positives. Having a customizable query language is key to reducing false positives without enabling false negatives.
Find a working SAST solution for developers
As mentioned above, getting problems at the source, and not just fixing syntax errors, is faster and saves money in the long run. A quick scan that misses vulnerabilities because they don’t understand how the code relates to the application is not the goal. But no one forces a developer who is already in a hurry to go through every mistake with a fine-toothed comb.
This is important for fix the problem quickly. The trick is to provide a “best repair location.” This directs developers to the right location to fix vulnerabilities, saving them time and energy. And often, by modifying the code at the location of the best fix, that single fix can eliminate multiple vulnerabilities and reduce the number of code corrections needed.
Most developers aren’t security experts — but a good SAST solution can turn them into security heroes.
Look for solutions that show developers how to fix vulnerabilities, explain the meaning and impact of vulnerabilities, and help them write more secure code in the future. Some solutions provide or integrate with code training that teaches developers how to identify and write secure, quality code.
Bite-sized gamified code security training allows for easy, fast learning that increases developer adoption, and this approach can even improve employee retention.
With the right SAST solution, your developers don’t have to go to Stack Overflow or Reddit looking for suggestions on how to fix a problem.
SAST that supports your current software development lifecycle
Languages and frameworks change. Your SAST solution should not. Therefore, it is important to have a SAST solution that keeps up with the latest language updates and supports the latest languages. This allows you to support your developers, wherever they choose to go.
Extensive language support is also critical to enabling organizations to standardize on a single solution across teams and across the organization.
For example, if you’re in finance, your organization may need to support an older language like COBOL, which still drives many banking transactions, as well as an emerging mobile app development language like Flutter. Although different developers may work on both components, organizations can maximize efficiency by standardizing on a single application security platform, rather than using a mix of vendors.
Find API in source code
Spurred on by the recent high-profile data breach, there is increasing awareness of APIs as a potential entry point into your application. OWASP even has an “API Security Top 10”, in which they cover the top ways APIs can be breached, including Injection, Security Misconfiguration, and Corrupt Object Level Authorization.
One of the challenges of most API security solutions today is that everything shifts to the right. For example, WAF protects the runtime environment while DAST tests compiled applications. Meanwhile Can it’s been said that “good security starts with good code”, the API tests that maxim to some extent, as every API is different and comes with its own unique security challenges. Existing solutions also require developers to document their API so that WAF and DAST solutions know what to protect and test. However, developers are often inconsistent with the API documentation, leading to shadow APIs.
The good news is that every API in an application is written in code. At a minimum, your SAST solution should be able to find the API endpoints specified in the code and inventory them. But ideally, it should also be able to show you what vulnerabilities exist in each API, so you can now prioritize vulnerabilities to fix based on the API’s business value.
Have SAST + DAST together in one platform
Anyone who has spent time developing software or been tasked with securing the millions of lines of code that make up a modern application understands that there are many industry-accepted methods for scanning and testing applications. The whole point of scanning code with SAST is to detect coding errors that can potentially lead to exploitable vulnerabilities – and everyone knows that vulnerable code is the root cause of every known breach today. But the value in using SAST and DAST tools is that they find different vulnerabilities.
However, if you have different tools, that means you manage them separately through different interfaces, you have to go to a separate place to view detected vulnerabilities, you have to analyze and triage vulnerabilities differently, and you track fixed vulnerabilities separately.
Having SAST and DAST on the same platform means you can view your vulnerabilities in one place, manage and triage them through one workflow/process, and send them to your developers to fix them through the same workflow. You can also integrate it at various SDLC points using a common integration set.
And as a bonus, if your SAST can find and inventory APIs in source code and find undocumented APIs, you can also test those undocumented APIs using DAST. This helps you get more value out of your SAST solution by taking its findings and improving security results in other areas in a 1+1=3 way.
Discover SAST solutions that enable you to make change happen
As you research SAST solutions, you’re bound to hear lots of promises to shift your AppSec left. But that’s no longer enough. As modern application development practices increase their use of APIs, open source code, and other innovations, new risks arise. Today, everything is an app. You now need your application security for shifted everywhere.
Note: This insightful article has been expertly written and carefully contributed by Avi Hein, Product Marketing Manager at Checkmarx.