SAST (also called “white box testing) is the basic form of security testing for application development. It involved the hard work of examining the actual un-compiled application source code to see if and where security vulnerabilities exist. This form of security testing is from the inside-out. According to Gartner, SAST should be a mandatory requirement for all application development. Gartner notes that 80 percent of attacks are aimed at the application layer. SAST analysis is one of the best ways to ensure application security.
The kinds of defects that cause vulnerabilities include:
SAST tools can detect high-risk software vulnerabilities such as SQL injection which would affect the system through the life of the software, Buffer Overflows which could disable the system, cross-site problems like cross-site scripting and cross-site request forgery. SAST tools will detect all of the Open Web Application Security Project (OSWAP) top 10 security risks.
SAST systems can be applied early in the software development cycle because it looks at the code before it is compiled and warns of weak spots. It would be up to 100 times more expensive to fix the code after the application was compiled. By detecting security code early, as opposed to testing right before release, or in post-production, high-risk issues can be resolved without having to break the application build. The security testing can be run throughout the software development lifecycle, minimizing the risk of allowing vulnerabilities to get through to the released application and reducing the risk that hackers can get into the application.
SAST tools can easily integrate into an already established process in an organization’s software development lifecycle. They will work within an integrated development environment, work with bug trackers, source repositories, and other testing tools. The smooth interfacing will further ensure that security testing is consistent and thorough.
The United States government demands that agencies who lease or wish to lease to federal agencies implement a threat assessment program that conforms to the Interagency Security Committee standard. The threat assessment is entirely external and looks for possible sources of cyber threats in the building and surroundings. The mandated vulnerability assessment is aimed at reducing the external sources of threat.
Generally, the term threat assessment is defined as “agents that violate the protection of information assets” [US_CERT–United States Computer Emergency Readiness Team]. Although the emphasis is on seeking and eliminating the external threat, the U.S. CERT does recognize the importance of “Code Analysis,” “White Box” or “Black Box” Code Analysis Tools to manage risks. The advantage of SAST tools is that the code analysis can be done in a way seamlessly integrated with software development.
The conventional threat assessment does not attempt to eliminate the weaknesses inherent in the software. If the software were initially designed without vulnerabilities it would be inherently resistant to all threats. The use of SAST tools in the design of software should be mandated as the ultimate device to remove the threat of external interference to the software.
SAST software is relatively fast without cutting corners. There are several methods for conducting source code reviews. In the top-down approach, the auditor examines the source code for certain types of vulnerabilities without bringing to bear an understanding of the specifics of how the program functions. This approach may be useful in some cases but any vulnerability requiring knowledge of the program’s deep architecture will be missed. The bottom-up approach incorporates a deep knowledge of the way the program works. This approach is relatively thorough but very time consuming and expensive.
In general manual auditing of the code for security vulnerabilities can be very time-consuming. The auditor must understand what security vulnerabilities look like before they can rigorously examine the code.
SAST tools compare favorably to manual audits because,
Application security was not given a lot of attention until a few years ago when cybercrime rose exponentially. Increased malicious activity forced organizations to pay more attention to the vulnerability of software. Penetration testing, application security testing and web application firewalls were widely recognized security methods for a long time, they are, nowadays, used as processes that compliment the two most popular solutions in use today, SAST testing and “black-box” or Dynamic Application Security Testing, referring to
Studies of these two testing methodologies show that,
Scanning and testing small applications are usually straight forward and don’t require a lot of flexibility from the security methods. However, today’s major applications usually involve thousands or even millions of lines of code. These projects could require tens or even hundreds of developer teams to build them. The problem with these large projects is that they generate huge numbers of errors. Any organization which uses inaccurate or inadequate security tools will have to hire personnel to mop up the errors.