Static Application Security Testing (SAST) is one of the principal techniques for assessing the source code of applications to detect possible vulnerabilities. SAST enhances application security during the early stages of the development life cycle and plays an important role in shifting security left.
However, there are quite a few myths that are often associated with implementing SAST security tools. Let’s run through the big three:
It’s a common misconception that SAST security tools all pretty much do the same thing, so choose your SAST tool carefully. Here are some things to keep in mind.
SAST tools check and fix flaws in custom, or proprietary code. However, in most modern applications, more than 80 percent of the code base is composed of open source components. Relying purely on SAST tools leaves a significant portion of your application’s attack surface unprotected. If open source direct and transitive dependencies are not scanned, they could introduce a blind spot that could jeopardize the security of your applications. In today’s constantly evolving threat landscape, it’s best to combine SAST with Software Composition Analysis (SCA) tools, which identify vulnerabilities in the open source components of your code. Doing so enables you to perform comprehensive analyses and detect problems throughout your code base, whatever the sources. Importantly, all of your code will be covered.
Ideally, an integrated security platform is the best strategy for seamless scanning across SAST and SCA tools. For complete visibility into application code, look for a platform that uses an extensive database of known vulnerabilities sourced from different, up-to-date outlets, and that supports the widest range of different programming languages. Furthermore, recent innovation in SAST technology provides automatic remediation of code flaws in custom code for the first time. This allows companies to use a single platform to both find and automatically fix application security holes in both open source and custom code.
Many legacy SAST tools are notorious for producing a large number of false positives by incorrectly reporting flaws that don’t exist as well as flaws with negligible impact.
This often leads to alert fatigue as developers and DevOps try to mend wrongly reported vulnerabilities. Trying to validate every falsely reported vulnerability is time-consuming and can distract your teams from focusing on genuine security flaws.
However, new SAST technologies have emerged that can perform deeper and more accurate analysis in a variety of programming languages. The ability to scan in a preferred language minimizes or even eliminates false positives compared with a generic solution that isn’t designed to do so.
Also, take care to choose a tool that can be customized for your specific needs rather than relying on default settings. Doing so will once again improve accuracy and dramatically decrease the incidence of false positives. An uncustomized tool will naturally produce results that are irrelevant to your organization and can draw attention away from genuine vulnerabilities affecting your code base.
In an ideal world, SAST tools would identify all real vulnerabilities and seldom detect false positives. However, that hasn’t been the case until now. New-generation SAST technology makes it realistic to achieve a far lower rate of false positives.