SAST (also called “white box testing”) is the basic form of security testing for application development. It involves examining the actual uncompiled application source code to see if and where security vulnerabilities exist. This form of security testing is from the inside out. According to Gartner, SAST should be mandatory for all application development. Gartner notes that 80 percent of attacks are aimed at the application layer. SAST analysis is one of the best ways to ensure application security.
The kinds of defects that cause vulnerabilities include:
SAST tools can detect high-risk software vulnerabilities, such as SQL injection, which would affect the system throughout its life, Buffer Overflows, which could disable the system, and cross-site problems like cross-site scripting and cross-site request forgery. They will also detect all of the Open Web Application Security Project (OWASP) top 10 security risks.
SAST systems can be applied early in the software development cycle because they look at the code before it is compiled and warn of weak spots. Fixing the code after the application was compiled would be up to 100 times more expensive. By detecting security code early, as opposed to testing right before release, or in post-production, high-risk issues can be resolved without breaking the application build. The security testing can be run throughout the software development lifecycle, minimizing the risk of allowing vulnerabilities to get through to the released application and reducing the risk of hackers getting into the application.
SAST tools can easily integrate into an already established process in an organization’s software development lifecycle. They will work within an integrated development environment, with bug trackers, source repositories, and other testing tools. The smooth interfacing will further ensure that security testing is consistent and thorough.
The United States government demands that agencies that lease or wish to lease to federal agencies implement a threat assessment program that conforms to the Interagency Security Committee standard. The threat assessment is entirely external and looks for possible sources of cyber threats in the building and its surroundings. The mandated vulnerability assessment aims to reduce external sources of threat.
Generally, threat assessment is defined as “agents that violate the protection of information assets” [US_CERT–United States Computer Emergency Readiness Team]. Although the emphasis is on seeking and eliminating external threats, the U.S. CERT recognizes the importance of “Code Analysis,” “White Box,” or “Black Box” Code Analysis Tools in managing risks. The advantage of SAST tools is that code analysis can be seamlessly integrated with software development.
Conventional threat assessment does not attempt to eliminate the weaknesses inherent in software. If software were initially designed without vulnerabilities, it would inherently resist all threats. SAST tools should be mandated in software design as the ultimate device to remove the threat of external interference.
SAST software is relatively fast without cutting corners. There are several methods for conducting source code reviews. In the top-down approach, the auditor examines the source code for certain types of vulnerabilities without bringing to bear an understanding of the specifics of how the program functions. This approach may be useful in some cases, but any vulnerability requiring knowledge of the program’s deep architecture will be missed. The bottom-up approach incorporates a deep knowledge of the way the program works. This approach is relatively thorough but very time-consuming and expensive.
In general, manual code auditing for security vulnerabilities can be very time-consuming. The auditor must understand what security vulnerabilities look like before they can rigorously examine the code.
SAST tools compare favorably to manual audits because,
Application security was not given much attention until a few years ago, when cybercrime rose exponentially. Increased malicious activity forced organizations to pay more attention to the vulnerability of software. Penetration testing, application security testing, and web application firewalls were widely recognized security methods for a long time; they are, nowadays, used as processes that complement the two most popular solutions in use today, SAST testing and “black-box” or Dynamic Application Security Testing, referring to
Studies of these two testing methodologies show that,
Scanning and testing small applications are usually straightforward and don’t require much flexibility from the security methods. However, today’s major applications usually involve thousands or even millions of lines of code. These projects could require tens or even hundreds of developer teams to build them. The problem with these large projects is that they generate errors. Any organization that uses inaccurate or inadequate security tools must hire personnel to mop up the errors.
