{"id":223940,"date":"2023-01-23T07:24:24","date_gmt":"2023-01-23T07:24:24","guid":{"rendered":"https:\/\/www.devsecops.ltd\/?p=223940"},"modified":"2023-05-16T06:06:58","modified_gmt":"2023-05-16T06:06:58","slug":"what-is-sast-static-application-security-testing","status":"publish","type":"post","link":"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/","title":{"rendered":"What is SAST(Static application security testing)  &#8211; 7 Checklists Guide 2023"},"content":{"rendered":"<p>SAST(Static application security testing) testing or \u2018Whitebox testing\u2019 or \u2018Source code analysis tools\u2019 scan the source code and test it for any security vulnerabilities very early on in the software development lifecycle. SAST testing occurs before the compilation of the source code and when the code is at rest. This type of testing ensures that all potential bugs and security flaws are caught early on and saves time, effort, and money than if it is found later on in the SDLC.<\/p>\n<p>Different types of SAST tools are available in the market today such as\u00a0 Trufflehog, Talisman, Detect Secrets, Bandit, Sonarqube, Semgrep, Brakeman, Find Sec Bugs, and Njsscan.<\/p>\n<p>How do we choose the best SAST tool for our business needs? This can best be decided by following the <a href=\"https:\/\/www.devsecops.ltd\/five-common-devsecops-problems-and-how-to-solve-them\/\" target=\"_blank\" rel=\"noopener\">DevSecOps<\/a> Gospel, which is\u00a0 described by the 7 checklists below:<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_67_1 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/#1_Choose_a_SAST_tool_that_is_simple\" title=\"1. Choose a SAST tool that is simple\">1. Choose a SAST tool that is simple<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/#2_It_should_be_able_to_easy_set_up_and_use\" title=\"2. It should be able to easy set up\u00a0 and use\">2. It should be able to easy set up\u00a0 and use<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/#3_It_should_support_your_programming_language\" title=\"3. It should support your programming language\">3. It should support your programming language<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/#4_A_SAST_tool_that_gives_a_lesser_number_of_false_positives_is_ideal\" title=\"4. A SAST tool that gives a lesser number of false positives is ideal\">4. A SAST tool that gives a lesser number of false positives is ideal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/#5_An_ideal_SAST_tool_should_be_able_to_do_incremental_scans\" title=\"5. An ideal SAST tool should be able to do incremental scans\">5. An ideal SAST tool should be able to do incremental scans<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/#6_Customizing_rulesets\" title=\"6. Customizing rulesets\">6. Customizing rulesets<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.devsecops.ltd\/what-is-sast-static-application-security-testing\/#7_It_should_be_compatible_with_the_current_continuous_integration_and_deployment_tools\" title=\"7. It should be compatible with the current continuous integration and deployment tools\">7. It should be compatible with the current continuous integration and deployment tools<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"1_Choose_a_SAST_tool_that_is_simple\"><\/span>1. Choose a SAST tool that is simple<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The first and most important aspect when choosing a SAST tool is to check if it is simple to use and satisfies your business needs. It is good to research and analyze various tools and see which suits your business. It is also good to avoid large frameworks in your selection.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"2_It_should_be_able_to_easy_set_up_and_use\"><\/span>2. It should be able to easy set up\u00a0 and use<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The second criterion is that the SAST tool should be able to onboard applications easily and should be easily customizable by the business itself. It should also be easy to configure to reduce the number of false positives.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"3_It_should_support_your_programming_language\"><\/span>3. It should support your programming language<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The SAST tool you choose must support your programming or development language. It will be pointless if the tool cannot understand your development language and find its various vulnerabilities and bugs. Hence, it is important that the tool must support your development language.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"4_A_SAST_tool_that_gives_a_lesser_number_of_false_positives_is_ideal\"><\/span>4. A SAST tool that gives a lesser number of false positives is ideal<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>It is a fact that SAST tools return a number of false positives. A \u201cfalse positive\u201d is when the tool says there is a problem when there is no problem. While false positives cannot be entirely eliminated, choosing a tool that returns a lesser number of false positives is ideal.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"5_An_ideal_SAST_tool_should_be_able_to_do_incremental_scans\"><\/span>5. An ideal SAST tool should be able to do incremental scans<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A regular scan will take an adequate amount of time depending on the number of lines of code and the application itself. If a regular scan will take a long time to complete, it is good to have a SAST tool that can do incremental scans on subsequent scans. Incremental scans will be able to scan only changed lines of code since the last scan.\u00a0Incremental scans can produce faster results and reduce pipeline execution time.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"6_Customizing_rulesets\"><\/span>6. Customizing rulesets<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>You should be able to customize the rulesets of your SAST tool according to your application to get the desired result.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"7_It_should_be_compatible_with_the_current_continuous_integration_and_deployment_tools\"><\/span>7. It should be compatible with the current continuous integration and deployment tools<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The SAST tool should be compatible with the existing CI and deployment tools.<\/p>\n<p>We have seen the \u2018DevSecOps Gospel\u2019 when choosing a SAST tool.\u00a0 Do stay tuned for more posts on the DevSecOps domain!<\/p>\n<p>References:<\/p>\n<ol>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.techtarget.com\/searchsoftwarequality\/tip\/SAST-vs-DAST-vs-IAST-Security-testing-tool-comparison\"><span style=\"font-weight: 400;\">https:\/\/www.techtarget.com\/searchsoftwarequality\/tip\/SAST-vs-DAST-vs-IAST-Security-testing-tool-comparison<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/owasp.org\/www-community\/Source_Code_Analysis_Tools\"><span style=\"font-weight: 400;\">https:\/\/owasp.org\/www-community\/Source_Code_Analysis_Tools<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/gitlab.com\/gitlab-org\/gitlab\/-\/issues\/9815\"><span style=\"font-weight: 400;\">https:\/\/gitlab.com\/gitlab-org\/gitlab\/-\/issues\/9815<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.synopsys.com\/blogs\/software-security\/steps-to-integrate-sast-into-devsecops-pipeline\/\"><span style=\"font-weight: 400;\">https:\/\/www.synopsys.com\/blogs\/software-security\/steps-to-integrate-sast-into-devsecops-pipeline\/<\/span><\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>SAST(Static application security testing) testing or \u2018Whitebox testing\u2019 or \u2018Source code analysis tools\u2019 scan the source code and test it for any security vulnerabilities very early on in the software development lifecycle. SAST testing occurs before the compilation of the source code and when the code is at rest. This type of testing ensures that [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":223941,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[10],"tags":[766,770,767,12,13,11,773],"_links":{"self":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/223940"}],"collection":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/comments?post=223940"}],"version-history":[{"count":0,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/223940\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media\/223941"}],"wp:attachment":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media?parent=223940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/categories?post=223940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/tags?post=223940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}