SAST 101: The What, Why, and How of Static Testing

by Micro Focus Employee in CyberRes

When it comes to application security, static application security testing (SAST) is critical. A white-box testing tool, SAST identifies the root cause of vulnerabilities in an application’s source code. 

SAST 101 The What, Why, and How of Static TestingFortify offers an industry-leading SAST solution, Static Code Analyzer, which has recently been recognized by G2 and PeerSpot as a best-in-class product offering. Nobody knows Static Code Analyzer better than Frans van Buul, Product Manager for Fortify SAST. I was able to sit down with Frans recently and pick his brain about the basics of SAST, its strengths and weakness, and where he sees SAST going in the future. 

Here's a recap of my conversation with Frans about SAST, and you can also watch a video of our full interview, What is SAST? on our Fortify Unplugged channel. 

Andrew Garrett: Hello everyone and welcome to another episode of AppSec 101. I am pleased to be joined today by my guest Frans van Buul. Frans is actually based out of the Netherlands and he is a Senior Product Manager for Fortify SAST. Frans, I am very honored to have you as my guest today as we discuss all things SAST. 

Frans van Buul: Thanks for having me! 

What is SAST? 

AG: Well with that let's dive right into it. As I mentioned today we're going to be answering the question, “What is SAST,” so to start things off, Frans would you be able to give our viewers a basic introduction of SAST? 

FVB: So SAST is an acronym that stands for static application security testing and it's a form of security testing that focuses on the source code of an application. So while doing SAST you don't have to actually run the application, it's static that's why it's called static analysis. 

It is very similar to what an expert auditor would do if they would be reviewing your code and looking for potential security problems, except it automates this process to pull that off. The SAST tool needs multiple capabilities to understand the programming languages that you want to analyze. It needs to understand the patterns that can occur there, the data flows that occur, the libraries that you're using—all that kind of stuff. 

Another important thing about the SAST tool is that you know in its most narrow sense what it does is look at source code and output results. In practice, that's not enough to run an enterprise security program. You need to have all kinds of integrations with IDEs that developers use with build systems, but also you need to have some kind of system that can aggregate the results of many applications in many different scans, or some form of dashboard reporting. So when we talk about SAST solutions in the broader sense of the word that's also included with it. 

Strengths and Weakness of SAST 

AG: Ok, so SAST is an important part of application security and what are some of the strengths of SAST and then also what are some of the weaknesses? 

FVB: So the strength of SAST is that it's scalable. So SAST primarily replaces the idea of an expert reviewer looking at your source code, but if you look at modern application portfolios, they may easily be a thousand applications or more and you might be releasing them every week. So, if you want to review all of these applications before you put them in production, as you should from a security point of view, that gives you 50,000 reviews per year. There's no organization that can possibly pull that off. SAST can actually do that, so that scalability, I would say, is its main strength. 

It's also relatively fast—it's much faster than any of these security auditors, so from that point of view it's a strength. Some people also consider it a weakness because they want it to be even faster. So, if you look at the speed of modern development processes some organizations want to go into production many times per day and if you do a SAST scan of a big application that takes two hours, that may be a bottleneck. So in that sense speed is a bit of a two-sided thing. 

Another strength of SAST is that it can find many things also when they're not yet manifesting themselves as an actual vulnerability. If it's a bad practice that could later on become a problem, SAST can already find it and give very detailed feedback to developers, which is also a good thing because it allows them to fix the problem much quicker than if they would just get a vague description of the problem.  

Somewhat on the more negative side of SAST is that it tends to be a bit noisy. Not all the results that a SAST tool reports tend to be actually true, so those results are called false positives. They are problematic because developers need to put in time to review them and they may lose faith in the tool if there are too many. 

How do SAST and DAST work together? 

AG: Let’s talk a little bit about DAST and how SAST and DAST work together. DAST is dynamic application security testing. So, how does it differ from static testing and is there any overlap between the two? What's the relationship between those two types of testing? 

FVB: Yeah it's a good question. So, DAST like you said is dynamic testing. The essence of it is that it uses a running application, and whereas SAST is like an expert code reviewer looking at your source code, DAST is more like a hacker trying to get into your application and we're trying to automate that process. If you look at you know how they compare they both have their strengths and weaknesses. 

DAST tends to be slower than SAST but a big benefit of DAST is that it is less prone to false positives. That makes a lot of sense because everything it reports is based on the actual observed behavior of the application so that it’s pretty reliable. 

If you can do both SAST and DAST, that gives the maximum reliability of results. There are some issues that can only be found using SAST and some issues that can only be found using DAST. DAST can help verify SAST issues, so if you're in a position to use them both, that's ideal from a security point of view. 

The Future of SAST 

AG: Where do you see SAST going in the future? 

FVB: Well there are many things going on—it's a very active area. One trend that we're clearly seeing already happening right now is that customers are using SAST to scan everything that's code. And that may seem like a not-so-interesting fact, but the thing to keep in mind is that there is a lot of code that's not really related to applications. We nowadays have lots of code that's related to infrastructure—infrastructure as code, so terraform, Azure Resource Manager templates, things like that. So you might even wonder whether SAST is still the proper acronym three years from now because many of much of the code that we're scanning nowadays is actually not related to an application. 

Another thing is auto remediation. So right now SAST tools suggest how you should fix an issue but don't actually fix it. That's still up to the developer, which takes some time. Now I don't think you will ever be able to do it in all cases, but in some cases that fix could actually be implemented automatically by an algorithm. It would probably still be reviewed by humans, but they might just approve or not approve a particular fix. That might happen in the IDE, that might take the form of a pull request automatically launched against the source code repository, but something like that is definitely going to happen in the in the coming years. We already see this being experimented with in the related fields of composition analysis. There the fixes are usually to upgrade the version of a library, which is, in terms of the source code editing you have to do, relatively easy. But that type of technology is definitely also coming to the SAST field. 

AG: Perfect. Well thank you so much Frans for joining me today. We'll see you next time on another episode of AppSec 101. Thanks! 

To listen to the full interview with Frans van Buul, check out the Unplugged video, What is SAST? 

More About Fortify

CyberRes Fortify delivers software resilience for modern development with a holistic, inclusive, and extensible application security platform from a trusted partner that supports today’s enterprises. This comprehensive suite of products brings holistic security and visibility to developers, AppSec professionals and key stakeholders with automated integrations for any tool, anywhere in the SDLC and a robust set of capabilities available on premise, cloud-hosted, or as a managed service.

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.


Application security