28 Jan
min read

Is SAST the answer?

SAST is a tentative topic among developers and testers alike for its inability to find common vulnerabilities and tendency to flag up false positives... but that doesn't mean it has no place.

Sian-Louise Montgomery
Marketing Consultant

Static Application Security Testing (SAST), or static analysis, is infamous for it's frequency of false positives, flagging issues and vulnerabilities that are not really relevant or applicable to the environment.

This could look like analysing a string of numbers and concluding that they are exposed credit card details, when in actuality they are just a series of numbers that fit that format. It could also be raising cross-site scripting where you know that you've got a compensating control later down the line, rendering that flag irrelevant as your later control will be mitigating the identified vulnerability anyway.

Another issue with SAST is that there are different types of SAST that can work in a lot of different ways, however a lot of those tools simply fulfil signature detection, solely detecting elements of code that fit a particular format. The problem that arises with this is that every developer has their own style and approach, and this evolves continuously as the developer progresses. So, unless you have a product that is staying on top of all of the latest styles and trends in coding, banking this information consistently, then signature detection becomes a less effective way to go about finding vulnerabilities.

This being said, SAST is very capable of finding a lot of vulnerabilities, and there are other areas that more modern SAST approaches can take, such as in readability, where SAST flagging can be quite sophisticated. But, to harness the potential of certain SAST tools, you really need to know and understand which tool you're using and in which situation it's going to be most effective. This mostly comes down to testing the SAST tool in your specific environment with your developers and your code base.

A first-step to improving SAST in your organisation would be trial and error. Test a few different SAST providers. Maybe you trial some open source tools versus some commercial, off the shelf tools to understand whether or not you need one tool or a number of complementary tools in order to fit your criteria.

The second step would be to then starting tuning your tools. There is a massive wealth of available information which can be plugged into SAST tools in order to make them more effective in being able to provide you confident and actionable results.

Finally, take a look at what you're doing with that output. If you're saying that every critical or high risk vulnerability should be instantly fed back to developers and that they should be blocked from the CI/CD pipeline before they are fixed, that is arguably the wrong way to view SAST. On the other hand, if you're saying that there are some vulnerabilities that we know SAST will confidently and accurately analyse, and there are other vulnerabilities that it's not going to be able to confidently analyse. However, it is going to capture some useful information that could then be fed into a manual test or a DAST tool for instance, you are then able to make that second stage in the development process a much more effective way of finding vulnerabilities.

Many of us have started pen tests where, had we had the SAST results, our method and delivery could have been far more effective, and the key to improving this experience is to adapt the way we use SAST continuously.

bug report

Get a Free Trial  From Cytix

Haven’t tried Cytix yet? Try our free trial to see how it works.

Get a Free Trial

Start Detecting Vulnerabilities Others Miss Today

  • Detect Vulnerabilities Faster
  • Patch Vulnerabilities Faster
  • Be more compliant
Learn More

Detect, Resolve &
Patch Faster With Cytix

Get a free test today and see how it works.
CTA Image
cta rectangle image
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.