Product Security Glossary

Static Application Security Testing

What is SAST? 

SAST stands for Static Application Security Testing.  It’s also known as either Source Code Analysis or White Box Testing, and involves using automated testing methods to find programming errors in a program’s source code.  The goal is to find these errors, which could cause problems with either performance or security, and fix them before the software goes on sale. 

How does SAST Work? 

Automated analyzer programs examine the source code of a new program, looking for problems that are defined in the analyzer program’s ruleset.  At this stage, the program under test hasn’t been compiled, so there’s no need to build test cases to run the program against.  SAST should be an integral part of the whole software development cycle. 

Why is SAST Important? 

Programmers are human, just like the rest of us.  As any other human would do, programmers make mistakes.  Errors in program source code could result in security problems such as the following: 

  • Improper memory allocation  
  • Buffer overflows  
  • Untidy pointers 
  • SQL Injection 
  • Stack overflows 
  • Integer overflows 
  • Race conditions 
  • Input validation 
  • Exceptions

Any of these problems could present a vulnerability that could be exploited by a malicious actor.  Once an attacker has exploited a vulnerability, he or she could steal sensitive data, plant cryptocoin mining software, join the machine to a botnet, crash the system, or any of a number of other attacks. 

These types of errors aren’t always obvious to the human eye.  However, an automated SAST program could find them. 

What Types of SAST Analyzers are Available? 

There are two general types of SAST analyzers.   

The interprocedural type, which is older and simpler, tries to detect patterns from one function to the next one.  It will then use these patterns to create a simulated execution path.   

The intraprocedural type is more modern and a bit more complex.  It allows the user to define what types patterns that the analyzer should detect. 

What are the Strengths and Weaknesses of SAST? 

SAST is great for finding common programming errors.  But, source code analyzers are only as good as the ruleset that they’re using.  Having an improperly designed ruleset could cause the analyzer to either miss legitimate problems, or report problems that don’t exist.  Also, SAST only deals with how the programming language is implemented in the source code.  It can’t detect problems with architectural or design flaws.  Amazingly enough, it can’t even detect when passwords or other sensitive data have been embedded into the source code.  For this reason, an automated SAST should also be accompanied by a manual review of the code.  The bottom line here is that source code analyzers can catch errors that humans might miss, but humans can catch errors that the source code analyzers can’t catch.  So, even though automated SAST does have a few weaknesses, it’s still an invaluable part of the overall software design lifecycle.