Static Application Security Testing (SAST)

• What is SAST?
• Pros and cons of SAST
• Additional links

What is SAST?

Static Application Security Testing (SAST) is a set of technologies designed to analyze the source code of software regarding its security. The essence of the analysis is to search for code fragments that may contain potential vulnerabilities.

A potential vulnerability is a bug that can be exploited to violate the system or disrupt its logic. If an attacker has exploited a security weakness, it becomes a real vulnerability. Read more about potential vulnerabilities here.

SAST helps find potential vulnerabilities at the early stages of software development. It is a part of the Secure Software Development Life Cycle (Secure SDLC) and the DevSecOps pipeline.

Here are some vulnerabilities that SAST tools are looking for:

• code that directly uses the information entered by a user (for example, XSS, SQLI, XXE, path traversal);
• using outdated versions of cryptographic protocols;
• storing passwords in code, etc.

You can find the most common and dangerous vulnerabilities in the OWASP Top 10 list.

To understand the work principles of SAST, let's look at how an SQL injection is detected:

void ProcessRequest(HttpRequest request) 
{ 
  string name = request.Form["name"];

  string sql = $"SELECT * FROM Users WHERE name='{name}'";
  using (var command = new SqlCommand(sql,_connection))
  {
    ....
  }
  .... 
}

Here an SQL query is formed from data entered by a user. Such approach is dangerous since the external data can be compromised. Instead of the data we expect to get (in this case, name) a user may pass an SQL command. In this case, executing the SQL query can be dangerous. Depending on the SQL command, it can lead to deleting tables or the entire database, extracting an arbitrary number of entries, etc.

SAST tools can find the vulnerability here with the help of taint analysis. A SAST solution expects that the external data may be compromised. The analyzer tracks the tainted data and warns the developer when it gets into the SQL command constructor. This means that such a command can be dangerous to execute, and the code contains a security weakness.

Pros and cons of SAST

Pros:

• specifies the exact place where a potential vulnerability may occur, as well as suggests ways to fix it by working with the source code;
• doesn't require to execute an application;
• covers the entire codebase of an application;
• helps implement the shift-left principle.

Cons:

• issues false positives;
• doesn't analyze libraries and frameworks if there's no access to their source code;
• depends on the programming language.

Additional links

• SAST in Secure SDLC: 3 reasons to integrate it in a DevSecOps pipeline
• Application Security Testing. How not to get confused between SAST, DAST, and IAST
• PVS-Studio as a SAST solution

231

0

3

0

SHARE

We can email you a selection of our best articles once a month