With innovative solutions seemingly cropping up every day by the multitude, it can sometimes feel hard to keep up to date. It can also cause us to overlook tried and tested solutions in favour of what’s shiny.
I don’t feel like I need to convince you that the weakest link in application security is definitely application vulnerabilities. In fact, application vulnerabilities account for the vast majority of external attacks.
SAST is a viable solution to the problem of application vulnerabilities.
But what is SAST?
SAST stands for Static Application Security Testing.
But, in order to truly define something, I won’t assume the name alone gives you all the clues as to what it is.
I wanted to write an accessible guide for the SAP community on why I think SAST is incredible and how I think it will benefit so many here, so that’s what this post is really about. I’ll give you an overview of SAST and look at the pragmatic application of SAST to demonstrate why it is so important.
SAST – an overview.
SAST has been around for about 15 years now. In tech, that’s not always a good thing however, SAST has stood the test of time for a very good reason: it gives you the perfect opportunity to detect software vulnerabilities.
SAST is an approach to the process of designing, creating and implementing software solutions.
In Short, SAST is a technique whereby the source code of your software is thoroughly scrutinised.
This scrutinisation happens before an application is live and running (hence the, “static” part of the technique’s name).
The scrutinisation of code isn’t about efficiency, performance or even user experience, it’s specifically about finding vulnerabilities.
It’s worth pointing out from the offset, a huge consideration when bringing a solution to market is speed of execution. SAST does not lend itself readily to a speedy execution. SAST is like putting on the breaks, slowing the process down and eradicating vulnerabilities before the world finds them.
The key question when deciding on applying SAST is: Am I prepared to trade off the risk of attack due to application vulnerability in favor of my solution hitting the marketplace asap?
If the answer is no, then SAP is for you. If you answer yes, then let your community of users expose those vulnerabilities (let’s hope you get wind of them before someone with more sinister intentions does).
SAST works by scanning the code with a predetermined objective of highlighting vulnerabilities such as input validation issues or SQL injection (as well as many more). Once highlighted, it’s a case of jumping into the code and patching the issue before the software is live.
Is SAST the perfect solution to application vulnerability?
Like any technical approach you care to think of, SAST comes with its pitfalls.
I’ve already mentioned the time-factor. SAST takes time out of the process. Sometimes, rush to market comes first and SAST simply can’t be an option.
Another issue common to the SAST approach is that of false positives. As with any predetermined, blanket sweep of code, you’re going to have to sort the false positives from the actual issues. This compounds the time issue too.
Adding to the time issue and false positive issue, SAST also misses things.
I don’t know about you but, I often write a method or technique off at the cons phase rather than weighing against the pros. Let me look to the pros now.
SAST makes sniffing out common vulnerabilities simple and, more importantly, automated.
SAST is a really good way of improving overall best-practice among your coders. SAST beelines for the common coding errors and flags them up automatically. This is great for helping your team to spot those mistakes and rectify them and will reduce the probability of recurring mistakes.
The major win for SAST though is to do with the stage of testing. SAST encourages you to consider security very early into the process. In my humble opinion, this is critical to designing solid software solutions.
Make SAST part of the process.
I think it’s become apparent as you read my blog post that I’m in favour of slowing things down with tools like SAST as it informs best practice and accelerates long term production efficiency.
I think anyone designing software applications needs to integrate SAST as early as possible.
The SAP solutions lend themselves really well to a SAST approach too so I feel the SAP community is the right place to go to with these insights and ideas about SAST.