SAST (also called “white box testing”) is the basic form of security testing for application development. It involves examining the uncompiled application source code to determine whether and where security vulnerabilities exist. This form of security testing is from the inside out. According to Gartner, SAST should be mandatory for all application development. Gartner notes that 80 percent of attacks target the application layer. SAST analysis is one of the best ways to ensure application security.
The kinds of defects that cause vulnerabilities include:
SAST tools can detect high-risk software vulnerabilities, such as SQL injection, which can affect the system throughout its life; buffer overflows, which can disable the system; and cross-site issues like cross-site scripting and cross-site request forgery. They will also detect all of the Open Web Application Security Project (OWASP) top 10 security risks.
SAST systems can be applied early in the software development cycle because they analyze code before it is compiled and warn of potential weaknesses. Fixing the code after the application was compiled would be up to 100 times more expensive. By detecting security code early, rather than testing right before release or in post-production, high-risk issues can be resolved without breaking the application build. Security testing can be run throughout the software development lifecycle, minimizing the risk of vulnerabilities slipping into the released application and reducing the risk of hackers gaining access to it.
SAST tools can easily integrate into an organization’s established software development lifecycle. They will work within an integrated development environment, with bug trackers, source repositories, and other testing tools. The smooth interfacing will further ensure that security testing is consistent and thorough.
The United States government demands that agencies that lease or wish to lease to federal agencies implement a threat assessment program that conforms to the Interagency Security Committee standard. The threat assessment is entirely external and seeks potential sources of cyber threats within the building and its surroundings. The mandated vulnerability assessment aims to reduce external threats.
Generally, threat assessment is defined as “agents that violate the protection of information assets” [US_CERT–United States Computer Emergency Readiness Team]. Although the emphasis is on identifying and eliminating external threats, the U.S. CERT recognizes the importance of “Code Analysis,” including “White Box” and “Black Box” Code Analysis Tools, in managing risks. The advantage of SAST tools is that code analysis can be seamlessly integrated with software development.
Conventional threat assessment does not aim to eliminate the inherent weaknesses in software. If software were initially designed without vulnerabilities, it would inherently resist all threats. SAST tools should be mandated in software design as the ultimate device to remove the threat of external interference.
SAST software is relatively fast without cutting corners. There are several methods for conducting source code reviews. In the top-down approach, the auditor examines the source code for certain types of vulnerabilities without drawing on an understanding of the program’s specific functionality. This approach may be useful in some cases, but any vulnerability requiring knowledge of the program’s deep architecture will be missed. The bottom-up approach incorporates deep knowledge of how the program works. This approach is relatively thorough but very time-consuming and expensive.
In general, manual code auditing for security vulnerabilities can be very time-consuming. The auditor must understand what security vulnerabilities look like before they can rigorously examine the code.
SAST tools compare favorably to manual audits because,
Application security received little attention until a few years ago, when cybercrime rose exponentially. Increased malicious activity forced organizations to pay closer attention to software vulnerabilities. Penetration testing, application security testing, and web application firewalls were widely recognized security methods for a long time; they are, nowadays, used as processes that complement the two most popular solutions in use today, SAST testing and “black-box” or Dynamic Application Security Testing, referring to
Studies of these two testing methodologies show that,
Scanning and testing small applications are usually straightforward and don’t require much flexibility from the security methods. However, today’s major applications often involve thousands, or even millions, of lines of code. These projects could require tens or even hundreds of developer teams to build. The problem with these large projects is that they generate errors. Any organization that uses inaccurate or inadequate security tools must hire personnel to mop up the errors.
