Introduction to SAST Scanning

SAST, or Static Application Security Testing, refers to scanners that analyze source code to find security vulnerabilities. To save us the trouble of writing the simpler, more straightforward description, here’s a lightly edited version of what ChatGPT says about SAST scanning:

Static Application Security Testing (SAST) is a security testing technique that helps identify security vulnerabilities in the source code of an application. SAST scanning is typically performed using specialized tools that scan the source code of an application for potential security weaknesses.

SAST scanning is an essential part of a comprehensive software development lifecycle (SDLC) security strategy. By analyzing the source code for potential security issues, developers can identify and remediate vulnerabilities early in the development process, when they are typically easier and less expensive to fix.

SAST tools can detect a wide range of vulnerabilities, including buffer overflows, injection flaws, and authentication and authorization issues. These tools typically generate detailed reports that provide information about the location of the vulnerabilities and recommendations for how to remediate them.

Overall, SAST scanning is an important tool for software developers to use in order to help ensure that their applications are secure. By scanning the source code for potential security issues, developers can identify and fix vulnerabilities before they can be exploited by attackers.

This is a pretty accurate, if a bit bland, summary of the benefits of SAST scanning. To read more about the benefits and features of SAST scanning, here are a few of the better-known SAST products available on the market today:

• AppScan
• Checkmarx
• Contrast
• Coverity
• Fortify
• Mend (formerly Whitesource)
• Veracode

One note: not including SonarQube in the list was not an accidental oversight on our part. We love SonarQube. As far as we've seen, it is a best-in-class solution for finding maintainability issues with your code. But it is a code quality scanner that also happens to scan for some security issues rather than a pure SAST tool, and the difference in security findings shows when you compare the scan results between SonarQube and pure SAST tools.

SAST Pitfalls

While we would agree that SAST scanning is indeed an important tool for software developers to use, it is not without its challenges. Let's dig further into a few of these now:

Cost

DAST, or Dynamic Application Security Testing tools, have a number of different options that allow you to get a decent scan for a low price. While we haven't obtained pricing for all of the SAST scanners in our list, those that we have are extremely expensive. We've used some low-priced and free options for .NET code and were unimpressed. So until proven otherwise, our experience is that if you want decent results from a SAST scan, expect to pay a lot of money.

Language Support is an Issue

SAST scanners work by analyzing your source code. That works if you are using a well-known language or a common framework. If, however, you are using a newer language or framework your SAST tool may not scan your code. If you do use bleeding-edge technologies, be sure to choose a SAST tool that will keep up.

Scanners Often Misunderstand Code

SAST scanners will often misinterpret your code, leading to false positives. A common example of this we often see is when input code is checked for malicious input, then used in a way that would be a vulnerability if not cleaned. Sometimes a scanner will see the input validation, but often it will not. Issues like these can be hard for developers validating the vulnerability to spot.

Unfortunately, this can also mean that teams will mistakenly think that a true positive is a false one. One common example of this occurs when input is checked and sanitized in JavaScript before being sent to the server. Developers often think that this is enough to be secure, but they are wrong. It is trivially easy for attackers to bypass checks made in JavaScript and send their own malicious input directly to your server.

Full Scans Take a While

Ideally, software development teams would get feedback as soon as they check in, if not as they are writing code. While you can get security-specific feedback using these types of tools, good scans often take hours, making them impractical for this type of quick feedback.

To get around this issue, many scanners will offer two types of scans: a full scan that analyzes all of the code and a quick one that only analyzes what it thinks has changed. If you want to run scans as a part of the check-in or build processes, running a quick scan on demand and a full scan over the weekend is an option to consider.

Expect False Positives

Most SAST scanners produce a large amount of "noise", or findings that are either false positives or can safely be ignored. Sifting through this noise will require a lot of time and effort from your development teams (and ideally with help from someone who knows security). There are several pieces of advice we can give to help with this problem:

• Don't look at each and every finding. If there are 500 findings that all look the same, they probably are. Look at a handful across multiple files and decide whether the problem actually exists before pursuing all items of that type.
• Focus on the highest priority items first. While there are cases when multiple findings marked Medium severity can be chained together for a serious attack, in most cases, the severity as reported by the scanner matches adequately with the actual risk of the finding. Knock out the items marked Critical first and go from there.
• Focus on making the list smaller while making sure that no new items are added to the list. You may not be able to make everything perfect after your first scan, but you can make things better each sprint.

And don't get discouraged! Many development teams got through similar lists and made it out the other side. You can too!

Are SAST Scanners Worth the Hassle?

Despite spending more time on the drawbacks and challenges than the benefits, we very much think that SAST scanning is worth pursuing. In our opinion, most of the challenges we've outlined here are more annoyances than true roadblocks. The largest true roadblock that we see is the cost. As mentioned earlier, good SAST tools aren't cheap. If you can afford it, though, we highly recommend pursuing it. If not, perhaps investing in DAST scanning along with quality training you can mitigate the worst of your vulnerabilities.

Have any questions about anything presented here or do you have anything to add? Please comment below!

Further Questions?

If you have further questions about this post or anything else related to securing your websites and custom-built software, you can:

• Use our general question form, which gives you the option to ask questions privately
• Schedule a one-hour consultation with our founder
• Use our comment form below: