This blog was written by an independent guest blogger.
DevSecOps means countering threats at all stages of creating a software product. The DevSecOps process is impossible without securing the source code. In this article, I would like to talk about Static Application Security Testing (SAST).
As development fluency is growing every year, many companies are introducing DevSecOps. Its main message calls for ensuring continuous safety control at every stage of product creation. At the same time, DevSecOps processes are automated as much as possible.
About 90% of security incidents occur because of malicious exploitation of software bugs. Eliminating vulnerabilities at the stage of application development significantly reduces information security risks. To search for vulnerabilities in the applications to be developed, there are specific classes of tools, the markets of which are now growing rapidly. The Application Security Testing Market — Global Industry Analysis, Size, Share, Growth, Trends, and Forecast 2017 — 2025 report by the Transparency Market Research splits application security testing into the following product classes:
- Static Application Security Testing (SAST) — static analysis of an application with access to the source code (using the white box method).
- Dynamic Application Security Testing (DAST) — dynamic analysis of an application without access to the source code and execution environment (using the black box method).
- Interactive Application Security Testing (IAST) — dynamic analysis of application security with access to the source code and execution environment (using the white box method).
All these systems allow a comprehensive approach to assessing the security of applications. At the initial stage, as a rule, static code analysis (SAST) comes into play.
What is SAST?
SAST (Static Application Security Testing) analyzes code or part of it for vulnerabilities without launching the application to be examined. It ensures compliance with guidelines and standards without actually executing the underlying code. SAST was one of the first auxiliary tools for assessing application vulnerability.
One of the key strengths of SAST is its wide coverage of programming languages and development platforms. For almost any mainstream language, several vendors are offering static code analysis tools. Another plus is that SAST is easy to implement - it's quite easy to add a static scanner to your development pipeline and IDE.
SAST is the stronghold of the Shift Left approach, in which software is extensively tested for coding bugs and security loopholes at early development stages to ensure hassle-free deployment down the line. Even if an application is in its rudimentary state and lacks functionality to run, these tools can scrutinize it for imperfections. That’s the fundamental difference between static and dynamic testing. The former can be used at initial phases of the application lifecycle, and the latter is geared toward vetting full-fledged code in a runtime environment.
Also, since developer teams considerably outnumber security personnel in the average organization, manual reviews of the codebase are incredibly challenging or outright impossible. SAST bridges the gap by scanning millions of code strings in mere minutes. It easily pinpoints critical flaws, such as SQL injection, cross-site scripting (XSS), and buffer overflows without involving humans.
Finally, developers benefit from the static source code analysis as it refers to the exact location of a potential problem. It provides instant feedback about programming slip-ups in an easy-to-interpret way, for instance, by highlighting crude fragments. Some tools also display hands-on recommendations on how to address specific issues that were detected. The ability to build customized reports adds an extra layer of visualization to the process, making risky code easier to track and facilitating the remediation routine.
The main disadvantage of SAST is a large number of false positives or false negatives. According to public data from OWASP, static analysis tools yield up to 50% of false positives. This consumes a good deal of time as developers have to sort and manually check each potentially vulnerable piece.
Therefore, when implementing this type of solution in an enterprise environment, IT professionals should adjust it to the company’s needs by writing new rules or modifying the existing ones to minimize the number of false positives. Thorough analysis of the first scan results can give actionable insights into the areas that could use some fine-tuning to reduce “white noise”.
SAST is required to provide the following features:
- Availability of high-quality technologies and algorithms for deep code analysis and identification of vulnerabilities.
- Regularly updated rule base with flexible customization and extensibility.
- Comprehensive evidence-based reports on the detected vulnerabilities and detailed recommendations for removing them.
- Comparing the analysis results when rescanning the edited code (highlighting patched, unpatched, re-emerging vulnerabilities).
- Support a wide variety of programming languages.
- Compatibility with development environments, version control, and bug tracking systems.
- Communication between developers and security experts.
- The minimum number of false positives.
- Presentation of the analysis results in an easy-to-read form.
- Availability of automatic reporting tools.
- The option to conduct code analysis remotely.
The SAST that fully complies with the requirements set forth will identify problems in the code more accurately and can allow you to spend fewer resources on localization and removal of vulnerabilities.
SAST performs best for finding errors in strings of code but is not very effective for detecting flaws in the data stream.
Global SAST market
According to DevSecOps Market Size, Share, and Global Market Forecast to 2023 by MarketsandMarkets, the DevSecOps market value was estimated at $1.5 billion in 2018 and projected to reach $5.9 billion by 2023, increasing by an average of 31.2% per year.
According to the Grand View Research, the application security market will reach $10.7 billion by 2025, increasing by an average of 17.7% per year. At the same time, within the framework of the code analysis tools, SAST and DAST occupy the same sales positions on a global market scale.
There are many different analyzers on the world market originating both from well-known security vendors and from niche players who develop SAST only.
From a performance point of view, products can be installed directly at the client’s premises (on-premises) or be cloud-based (software-as-a-service). It is worth keeping in mind that while on-premises deployment provides more control over the solution and its features, it usually entails much higher maintenance costs than the cloud scenario.
SAST products
Checkmarx CxSAST
Checkmarx CxSAST automatically detects and identifies vulnerabilities in uncompiled code in the most common programming languages. CxSAST can be installed on its own or integrated into the development cycle (SDLC) to reduce the time it takes to find and remediate vulnerabilities.
Key features:
- Visualization of the code in the form of operating charts of execution routes.
- Based on the scan results, recommendations are given on how to fix problems with linking to a graphic scheme.
- Supports 27 programming languages.
- Integrated with various development environments (Eclipse, IntelliJ, Visual Studio, etc.), build servers (Jenkins, CLI, Bamboo, Maven, TeamCity), version control systems (Bitbucket, etc.), and bug tracking (Atlassian Jira, etc.).
Fortify Static Code Analyzer (SCA)
The product currently supported by Micro Focus has changed ownership several times over its long history. However, it has grown into a powerful source code analysis tool.
Fortify Static Code Analyzer is a static application security testing module within the larger Fortify family of solutions. It identifies the causes of vulnerabilities, prioritizes results, and provides detailed recommendations on fixing the code.
Key features:
- Supports 21 programming languages, including Python, ASP.NET, Ruby.
- Coverage of over 900 categories of vulnerabilities included in SANS Top 25 and OWASP Top 10, compliance with DISA STIG, PCI DSS, and others.
- On-premises and cloud-based threat intelligence model.
- Availability of a mechanism for interaction with continuous integration management systems, which allows automatic generation of error reports.
- Uses machine learning algorithms to reduce the risk of false positives.
HCL Security AppScan Source
HCL Security AppScan Source (formerly IBM Security AppScan) is designed for information security professionals, requires high qualifications, but generates a better picture of vulnerabilities linked to the source code. The product provides interaction between employees responsible for application security and developers. It has means of integration with common development environments, which makes it possible to track vulnerabilities at an early stage.
Key features:
- 21 programming languages supported.
- General and compliance reports using over 40 different templates are available right out of the box.
- AppScan Standard helps reduce the risk of data breaches and attacks on web applications before deploying the website and performs a risk assessment in the course of operation.
- Fine-tuning and upgrading options are available with the AppScan eXtension Framework.
- Direct integration into existing systems using the AppScan SDK.
- Link categorization functions, the scope of which is not limited to the protection of the application, but allows you to determine the risks for users visiting unwanted sites.
- Helps determine which site technologies can affect AppScan crawl results.
Conclusion
Vulnerabilities and bugs in software under development constitute a major security problem. The application of SAST solutions enables mitigating those risks dramatically without inviting any third-party experts. SAST is a handy developer suite that easily integrates into DevSecOps routines.
A wide variety of software solutions for static code analysis is available on the global market, where both renowned players operating in multiple segments and niche developers working with SAST only are present.
