Open source, light weight, or home-grown SAST tools are cropping up like weeds in a summer garden. Development teams are considering use of these convenient SAST options as valid approaches to meeting AppSec program requirements for static code analysis. That’s usually a misperception of what’s really needed.
I tried to address this misperception last year in a blog post entitled In-depth analysis comes at a cost – and so does a breach! My blog’s premise was that the costs of a data breach out weighted the convenience of using lightweight SAST tools which provide inadequate visibility into application weaknesses and vulnerabilities.
Recently a colleague of mine, Joshua Hamilton, made post on LinkedIn that had a graphic that summed up the issue well.
The bottom line is that these convenient SAST tools are not enterprise grade. Taking security seriously deserves a purpose-built tool beyond open-source quality tools with security added on the side. We believe you need to go beyond structural matching and leverage high-quality security rules, running advanced algorithms such as dataflow and control flow analysis, to identify weaknesses and vulnerabilities in software.
I believe one of the core Fortify differentiators is our stellar research team that reliably provides quarterly rulepack updates to a broad set of programming languages and frameworks. That’s huge, and something these lightweight alternatives can’t match. With Fortify SAST, you get a tool that understands the libraries you use, not just the language of the code, for advanced vulnerability detection. We also have a dependable product release cadence, despite the challenges of the pandemic and disruptive geopolitical conflicts.
An aspect of the perception problem is that we need to do a better job of showing the value that Fortify SAST can bring to our customers. We haven’t always made it easy discover Fortify’s capabilities for themselves. The Fortify team is taking this on by revamping their Web presence and publishing new content that not only will help us convey the value of Fortify SAST, but also other aspects of the Fortify portfolio. Check out some of the new AppSec pages below:
- Complete overhaul of Fortify Portfolio page
- Developer Driven AppSec
- DevSecOps Demystified
- Your Trusted Partner in AppSec
- Infrastructure as Code (IaC)
- Software Composition Analysis
- Container Security
- Audit Assistant
- AWS
- Azure
- Debricked (Software Composition Analysis)
- API Security
- Fortify On Demand – Security as a Service
- Fortify Hosted (PaaS)
- Fortify Professional Services
Returning to the primary point of this blog, while minimizing friction for developers is important, balance is needed. I believe that shortcuts in thorough application security testing can result in costly breaches that exploit weaknesses in the application-layer attack surface. And with the 2022 Verizon Data Breach Investigations Report indicating that the top assets impacted in breaches were Web application at 56%, we need to be doing all we can to identify and remediate security weaknesses in applications.
Fortify SAST provides quality scans at scale to expose application security risks. You do not want to have a false sense of security stemming from having a tool that makes it appear that everything is okay when it isn’t.
Check out some of the new Web content above to learn more about Fortify’s capabilities.
Connect With Us:
Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.