Three Big Myths About Application Testing With SAST Tools

Static Application Security Testing (SAST) is one of the principal techniques for assessing the source code of applications to detect possible vulnerabilities. SAST enhances application security during the early stages of the development life cycle and plays an important role in shifting security left.

However, there are quite a few myths that are often associated with implementing SAST security tools. Let’s run through the big three: 

Myth #1. All SAST security tools are created equal.

It’s a common misconception that SAST security tools all pretty much do the same thing, so choose your SAST tool carefully. Here are some things to keep in mind. 

  • Speed. Some traditional SAST solutions cannot meet the fast-paced demands of today’s development environment, and create bottlenecks. The new generation of SAST tools can scan your code base quickly and generate results within a few minutes. 
  • Integration. SAST tools should comfortably integrate with your existing DevOps environment and CI/CD pipeline, and work within your developers’ existing workflow. Why? Because forcing developers to switch to a different tool to scan and test both impairs productivity and increases the chance that they’ll compromise security by not using the tool at all. 

Reducing Enterprise Application Security Risks:

More Work Needs to Be Done

Myth #2. SAST tools scan all code. 

SAST tools check and fix flaws in custom, or proprietary code. However, in most modern applications, more than 80 percent of the code base is composed of open source components. Relying purely on SAST tools leaves a significant portion of your application’s attack surface unprotected. If open source direct and transitive dependencies are not scanned, they could introduce a blind spot that could jeopardize the security of your applications. In today’s constantly evolving threat landscape, it’s best to combine SAST with Software Composition Analysis (SCA) tools, which identify vulnerabilities in the open source components of your code. Doing so enables you to perform comprehensive analyses and detect problems throughout your code base, whatever the sources. Importantly, all of your code will be covered. 

Ideally, an integrated security platform is the best strategy for seamless scanning across SAST and SCA tools. For complete visibility into application code, look for a platform that uses an extensive database of known vulnerabilities sourced from different, up-to-date outlets, and that supports the widest range of different programming languages. Furthermore, recent innovation in SAST technology provides automatica remediation of code flaws in custom code for the first time. This allows companies to use a single platform to both find and automatically fix application security holes in both open source and custom code.

Myth #3. Targeting a low rate of false positives is impossible.

Many legacy SAST tools are notorious for producing a large number of false positives by incorrectly reporting flaws that don’t exist as well as flaws with negligible impact. 

This often leads to alert fatigue as developers and DevOps try to mend wrongly reported vulnerabilities. Trying to validate every falsely reported vulnerability is time-consuming and can distract your teams from focusing on genuine security flaws.

However, new SAST technologies have emerged that can perform deeper and more accurate analysis in a variety of programming languages. The ability to scan in a preferred language minimizes or even eliminates false positives compared with a generic solution that isn’t designed to do so.

Also, take care to choose a tool that can be customized for your specific needs rather than relying on default settings. Doing so will once again improve accuracy and dramatically decrease the incidence of false positives. An uncustomized tool will naturally produce results that are irrelevant to your organization and can draw attention away from genuine vulnerabilities affecting your code base.

In an ideal world, SAST tools would identify all real vulnerabilities and seldom detect false positives. However, that hasn’t been the case until now. New-generation SAST technology makes it realistic to achieve a far lower rate of false positives.

Learn more about reducing false positives here, and for more information about Mend SAST, click here.

Meet The Author

Adam Murray

Adam Murray is a content writer at Mend. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.

Subscribe to Our Blog