What is SAST?
The term static application security testing describes a special security concept in software development. Instead of subsequently testing an application, the checks are carried out early in the development. This has advantages and disadvantages.
In many cases, teams from IT security or software quality assurance subsequently examine a code that has been created for security weaknesses. Penetration tests should, for example, reveal relevant gaps in running applications.
The “Static Application Security Testing” (SAST), in German Static Software Test Procedure, brings the test date significantly forward. For this purpose, special programs run over the code at an early stage in order to uncover weak points. As a rule, these tools also give recommendations on how a vulnerability can be rectified directly.
This is how Static Application Security Testing works
SAST is a so-called white box process. The code is visible and does not have to be running. That is why we speak of “static”. The tests can identify three types of security threats.
- First, there are functional loopholes. For example, “tainted code” can be injected. These are lines that can later infiltrate malware.
- Second, there are lines that can be associated with files or certain classes of objects. Here, too, the focus is on the smuggling of malware.
- Third, there are gaps at the application level: Can the code be used to interact with third-party programs unnoticed? Hackers use such vulnerabilities, for example.
As a rule, different SAST tools should run over the code – and this at regular intervals. The scanners must also be adapted to your own needs. They don’t work completely “ex works” as most developers would like. The Open Web Application Security Project (OWASP) Foundation offers assistance . It not only lists typical security vulnerabilities and also gives recommendations for suitable SAST tools.
Advantages of the SAST approach
Compared to subsequent security tests, the SAST approach offers the following advantages:
- Security gaps identified early can be eliminated much cheaper (sometimes ten times cheaper).
- As a rule, not only are the gaps recognized, but also the reasons why they could arise. This is not possible with subsequent black box tests.
- No working code is necessary.
- The tests can be carried out by the developers. Security experts are not required for this.
- 100 percent of the code can be examined for security problems. This is not possible, for example, with dynamic testing of applications or with penetration tests.
- The scanners can often easily be supplemented with additional checks, for example relating to the functionality of certain parts of the code.
Disadvantages of the SAST approach
In theory, the SAST approach does not have any real disadvantages. In practice, however, there are sometimes three basic problems.
- The programming work often suffers, which in turn manifests itself in bugs. The developers focus too much on the security tests and bug fixes.
- The tools give too many problems. This happens especially if the scanners have not been individually adapted to your own needs.
- SAST often replaces the subsequent security tests. However, all problems that are directly related to an application in operation remain undetected.