Static Application Security Testing (SAST) is a set of technologies designed to analyze the source code of software regarding its security. The essence of the analysis is to search for code fragments that may contain potential vulnerabilities.
A potential vulnerability is a bug that can be exploited to violate the system or disrupt its logic. If an attacker has exploited a security weakness, it becomes a real vulnerability. Read more about potential vulnerabilities here.
SAST helps find potential vulnerabilities at the early stages of software development. It is a part of the Secure Software Development Life Cycle (Secure SDLC) and the DevSecOps pipeline.
Here are some vulnerabilities that SAST tools are looking for:
You can find the most common and dangerous vulnerabilities in the OWASP Top 10 list.
To understand the work principles of SAST, let's look at how an SQL injection is detected:
void ProcessRequest(HttpRequest request)
{
string name = request.Form["name"];
string sql = $"SELECT * FROM Users WHERE name='{name}'";
using (var command = new SqlCommand(sql,_connection))
{
....
}
....
}
Here an SQL query is formed from data entered by a user. Such approach is dangerous since the external data can be compromised. Instead of the data we expect to get (in this case, name) a user may pass an SQL command. In this case, executing the SQL query can be dangerous. Depending on the SQL command, it can lead to deleting tables or the entire database, extracting an arbitrary number of entries, etc.
SAST tools can find the vulnerability here with the help of taint analysis. A SAST solution expects that the external data may be compromised. The analyzer tracks the tainted data and warns the developer when it gets into the SQL command constructor. This means that such a command can be dangerous to execute, and the code contains a security weakness.
Pros:
Cons:
0