Home 0P3N Blog Static Application Security Testing for Early Vulnerability Identification
Ready to Start Your Career?
Create Free Account
By: Chiranjeevi
March 10, 2018

Static Application Security Testing for Early Vulnerability Identification

By: Chiranjeevi
March 10, 2018
By: Chiranjeevi
March 10, 2018
 

Static Application Security Testing(SAST) or Secure code review is an inside-out (White box) test approach to identify the security vulnerabilities at code level.

It is essential for an organization to identify and fix the security vulnerabilities at development stage to avoid last minute rush and improve the code quality which reduces the application risk. SAST tools can be integrated with developer's IDEs (Integrated Development Environment) where they can track their code quality which in-turn improves the security quotient of the application. It will be easier for a developer to fix the issues from SAST report as the SAST report points the vulnerable code with exact location (Line number).

SAST can be applied for both Stand-Alone (Thick Client) applications and Browser-based (Thin Client) applications, however the SAST tool should support the programming language used to develop the application.

Code review tools will generally identify the data flow points/variables and track them to their execution points to validate the piece of code and hence report the vulnerable execution points, which means SAST is effective means of finding for vulnerabilities such as SQL injections, Buffer Overflow, Cross-Site Scripting etc...

Con-side of the SAST is, SAST cannot identify the configuration issues and also issues related TLS etc.. which cannot be included in the source code. However, SAST, for that matter no testing method alone can give us the 100% confidence over application's security. Combination of different testing methodologies such as SAST, DAST, IAST etc... will give us the good amount of confidence over application's security.

We have various commercial and open source tools for Static Code review such as:

Open Source Tools:

  • SonarQube by OWASP

  • FindBugs for Java

  • Visual Code Grepper

  • YASCA etc…

Commercial Tools:
  • VeraCode

  • CheckMarx

  • HP Fortify

  • Appscan Source etc…

Note: The order of the tools above does not highlight the efficiency of the tools.

 

Do you like to write about your infosec knowledge, skills, opinions, or exploits?

Blog Icon

Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry