By Jay Lloyd. July 23rd, 2021.
What is SAST?
Static Application Security Testing, or SAST, is a testing methodology used to analyze source code for security vulnerabilities. Source code is the collective lines of code that developers write to build your product. The code that developers are writing is performing tasks such as handling user actions in the browser, accessing data, making requests to third-party services, etc.
These actions by themselves aren't security vulnerabilities but how they are implemented could be problematic. The issue could be not validating data that users enter in your app. This can result in an injection attack, an OWASP Top 10 Application Security Risk that can cause your application to allow unauthorized access to data or behave unexpectedly.
These risks can be reduced by doing code reviews. But even if a developer's code is peer-reviewed, these issues may not be obvious. This is where a SAST tool can help. A SAST tool scans your code for vulnerabilities and reports its findings. During a code review, the reviewer is typically making sure that the code achieves the desired functionality, and a SAST tool is like a second set of eyes that focuses on security weaknesses.
Why do you need a SAST tool?
A SAST tool is your backup plan for code reviews. Peer-reviewed code doesn't catch everything, and it's unrealistic for a human to understand and scrutinize every line of code. This type of deep analysis is best left for machines because they can quickly scan your codebase and reduce costs. A developer's time is better spent building new features than pouring over thousands of lines of code. But getting down to brass tacks, the real benefit of having a SAST tool is stopping security vulnerabilities from reaching your production environment; production is the final environment in your software development process, where your customers use your product. This is a crucial step in adopting a "Shift Left" philosophy, which I talk more about in the article, Tech debt is a security nightmare. Here's how to fix it.
What are some key features when choosing a vendor?
There is no shortage of SAST tools to choose from. These tools have been around for a long time, so the feature set is varied. Here, I'll discuss several criteria to think about when deciding which tool is right for you.
Supported languages and frameworks
Testing Surface Area
SAST tools test for different things. At a minimum, you want to choose a tool that tests for the OWASP Top 10 so that you are alerted to the most common risks. However, some tools go the extra mile and scan for code quality issues (e.g., error-prone code, maintainability, code formatting) and secrets (e.g., passwords, access keys). These features aren't must-haves because you may be using other tools that perform these tasks, but it is nice to have all these findings in a central location. A single source for all code issues has the added benefit of providing a holistic view of your flaws.
Just because your SAST tools say a line of code is an issue doesn't mean that it is. SAST tools are trained to sniff out known patterns and raise a flag if a match is found. An incorrect match is known as a false positive. Many vendors are improving their tools to reduce false positives by using machine learning. This feature shouldn't be undervalued because it will allow your team to spend less time reviewing issues that aren't real.
SAST tools look for patterns in your codebase; however, they lack context. A SAST tool doesn't know that the code it's scanning is for internal use only and a DDoS attack isn't a concern. In this scenario, your team may want to "ignore" the finding. Generally, SAST tools allow you to ignore findings, but they do so in different ways. Some tools allow you to ignore an issue from a dashboard, whereas others may require you to add a comment to the line of code in your codebase to mute a finding permanently. Adding inline comments to your code means more busy work for your developers, but if you ever change vendors, then you'll need to remove or update these comments so that they are compatible with your new tool. Hopefully, you aren't switching tools often, but this is something to consider when making a decision.
If you're adopting a "Shift Left" strategy, you'll absolutely want to choose a SAST tool that can run a scan every time new code is introduced to your Continuous Integration (CI) environment. A CI environment is where new code changes are continuously merged, built, and tested, so it makes sense to add a security scan to the mix. By continuously scanning your code, you increase the odds of fixing issues on time and reducing the risk of introducing vulnerabilities into your production environment.
If you're doubling down on "Shift Left," then the only thing better than scanning your code for vulnerabilities in your CI environment is scanning the code on your developers' machines. Some SAST vendors offer plugins that can be added to an Integrated Development Environment (IDE) like Visual Studio Code. Since an IDE is where developers write code, there are advantages to them being made aware of vulnerabilities while they're writing code. Developers can fix issues immediately and learn how to write more secure code in the process.
Pricing models for SAST tools can vary. Some are priced by the numbers of users, code repositories, or even lines of code analyzed. Your budget is ultimately up to you, but when choosing a tool, be mindful of your expected growth and how this cost could grow over time. A pricing model based on the number of users or lines of code might fit within today's budget, but as your company grows, so will this cost. My recommendation is to think about how you expect your company to grow over the next 12-18 months when evaluating cost.
The vendors we considered
The 42Crunch platform provides a set of automated tools to audit, scan and protect your APIs. You can ensure that all your APIs meet a set security standard before deploying, scan live API endpoints for potential vulnerabilities, and consistently enforce threat protection policies. The 42Crunch platform is unique because it focuses on protecting your APIs. Most SAST tools do not work at the API level, so 42Cruch could be a nice compliment to a more traditional SAST tool.
Advantages: Multi-cloud support, supported across the entire development lifecycle
Disadvantages: Does not scan your application code
Codacy is a SAST tool that can scan your application code for security flaws, code quality, and integrate with your CI/CD workflows and other tools like Slack. The platform includes a dashboard that shows you the quality of your application over time and how long it will take to fix all issues. The dashboard is useful for figuring out if you're heading in the right direction--hopefully, your issues are trending downward!
Advantages: Code quality scanning, supports over 40 languages and frameworks, free for open-source teams
Disadvantages: Limited customization for code quality settings
Salesforce Application Development + SAST = CodeScan. CodeScan checks your code for bugs and vulnerabilities with the most complete database for Apex Visualforce, Lightning, and Metadata. This is the only tool that I found specific to Salesforce, so it is a great option if you have Salesforce applications in your portfolio.
Advantages: Scans Salesforce applications, custom rules, unlimited scans
Disadvantages: Requires SonarQube for some features
Coverity is a SAST solution that helps development and security teams address security and quality defects early in the software development lifecycle and ensure compliance with security and coding standards. Coverity integrates with your CI/CD pipeline and issue-tracking integrations like Jira and Bugzilla.
Advantages: Support for 21 languages and 70+ frameworks, IDE plugin, low false-positive rate
Disadvantages: No free trial
DeepSource is an all-in-one platform that can be used to take control of your code's quality and security. It has some unique features that could be difference-makers when selecting a tool, including the automatic generation and application of fixes for issues and the detection of security and configuration problems for Terraform and Docker. Also, DeepsSource boasts having the largest collection of static analysis rules in the industry.
Advantages: IDE integration, low false-positive rate, secret scanning, free account
Disadvantages: Inline comments to mute findings
Semgrep is an open-source, static analysis tool for finding bugs and enforcing code standards early in the development lifecycle. It is one of the most flexible tools in the space. Semgrep not only offers a vast library of community-sourced rules that runs against your code, but you can create any rule that you want. This is a value-add if there are company-specific standards that you want to look for. Even though Semgrep is open-source, they offer paid plans that provide additional functionality such as a dashboard, API access, and SSO.
Advantages: Open-source, IDE integration, custom rules
Disadvantages: Inline comments to mute findings
Snyk (pronounced sneak) is a developer-first platform for securing code, dependencies, containers, and infrastructure as code. Their vulnerability database is maintained by a dedicated research team that combines public sources, proprietary research, machine learning, and contributions from the developer community and academia. Snyk not only alerts you to issues in your codebase but also provides examples to help you fix them based on patterns found in open-source projects.
Advantages: IDE plugin, remediation advice, prioritization score, free account, mute findings from the dashboard
Disadvantages: Overlap with tools like Dependabot
SonarQube is a veteran in the SAST space. In the past, it was not uncommon to find SonarQube in use with Java applications, but it has evolved over time and expanded support to 27 languages. After SonarQube scans your code, it grades the quality of your application on a scale from A to E. If the grade doesn't meet the minimum standard defined in your quality gate, then you can block the code changes from being deployed to production.
Advantages: Open source (hosted plans available), IDE plugin, support for older technologies
Disadvantages: More difficult to setup than other options, limited rule customization
Veracode offers a holistic, scalable way to manage security risk across your entire application portfolio. It accommodates, not only your SAST needs, but also Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA), and it allows you to see your whole application landscape in a central location.
Advantages: Add-ons for DAST and SCA, low false-positive rate, IDE plugin
Disadvantages: No free trial
Software Composition Analysis (SCA) involves generating an inventory of all the open-source components in your products, including all direct and transitive dependencies; it's an important part of compliance, especially if you have limitations on what types of open-source licenses you can use.
For a quick breakdown of features by vendor, check out this comparison chart:
|Vendor||Multi-language support||CI/CD Integration||IDE Plugin||Code Quality||Free trial or Free tier|
In the end, we chose Snyk to keep our codebase free from security vulnerabilities that could put customers' data at risk.
As a past user of SAST tools, I know that adoption and maintenance are two major hurdles. While these tools provide a real benefit, they often get ignored because they become "just another thing" to check, and eventually, they stop getting checked. However, in today's threat climate, this is an unsafe place to be, and it puts your company and your customers' data at risk.
There are some great SAST tools on the market, but I found Snyk's finding management the easiest to work with. Between the IDE plugin and Synk's dashboard, it's easy to filter out false positives without straying beyond the developers' normal workflow. By keeping the volume low, we'll be able to quickly review and fix vulnerabilities to keep our customers' data safe. For Trustpage, that's our mission—building trust with our customers.
Consider adding Static Application Security Testing to your company's Trust Center today.
Jay Lloyd is the Lead Evangelist at Trustpage. After work, you can find him on his Peloton. He lives in Detroit.
Copyright © 2021 Trustpage. All rights reserved.