Static Analysis Security Testing

Static Analysis Security Testing (SAST) is a powerful way to identify potential security flaws in a program.

While techniques are varied, SAST tools are designed to produce security warnings representing potentially risky pathways through a program’s source code. Risky pathways typically involve receiving user-controlled data that then makes its way through the source code and ending up outside the program, such as a website form to make a purchase making it into an orders database table. The reverse is sometimes true as well: data can go from the database back out to the user.

SAST tools present a security warning, or finding, when the user data is not modified to remove attacks (sanitation) or is not checked against a list of known good characters (validation or white listing). The absence of sanitization or validation triggers a finding to be flagged as potentially damaging. Such potentially damaging pathways and findings are what SAST tools try to find within source code.

SAST tools are thorough and deep in their assessments. This is both a strength and a challenge for the tools; findings by the thousands are not uncommon for a single program and comprehensive review of those findings can be onerous. Traditionally there are two ways to manage such large sets of findings, as follows:
  • Scan less of the attack surface of the program, and thus have fewer findings to review and increase the risk of important findings not being identified.
  • Add more people to review the results.

Intelligent Finding Analysis (IFA) offers an additional approach to managing large sets of findings from SAST assessments.