Static application security testing (also known as static analysis or SAST) is the analysis of computer software that is performed without actually executing programs built from that software. Static analysis is a quick and effective method of discovering common issues found in code. It also provides good coverage of software source code while giving the analyst further insight into the coding practices currently in place.
Let’s discuss six simple steps needed to perform SAST efficiently in firms which have a very large number of applications built on different languages, frameworks, and platforms.
The first step is to finalize the tool capable of performing static analysis of the different applications in your firm. The tools need to understand not only the programming languages used, but also the underlying/dependent frameworks used by the software. Some additional factors to consider include IDE support, cost of the tool, and infrastructure requirements for the tool. This might involve detailed analysis of the different static analysis tools available to determine which tools best satisfy your needs.
In cases where tools do not adequately support the languages or frameworks being used, manual code reviews can be performed as a supplemental activity.
Now that you have decided on the tool to use, create an infrastructure to deploy the tool. This might involve handling licensing requirements of the tool, access control and authorization to access the tool, and procuring the resources required (e.g. servers and databases) to deploy.
Once the tool is deployed and in use among the different teams, it’s time to customize the tool to further suit your needs. This could include integrating the scanning tools to build environments, creating dashboards for tracking scan results, and building custom reporting.
The tools can also be tuned to reduce false positives or find additional vulnerabilities in frameworks used by development teams.
Many enterprises have a large number of applications that can be put through the scanning program. Your firm can prioritize these applications to ensure that the highest-risk applications are scanned first. As time progresses, the majority of the applications can be on-boarded to the scanning infrastructure. The code to be analyzed with a tool needs to be compilable and include all the libraries used within, or in association with, the software.
Once on-boarded with the tool, the applications should be scanned regularly. This can take place by syncing application scans to the release cycle, daily or monthly builds, or every time the code is checked in.
After the applications are scanned, a security analyst must assess and triage results for false positives. Discovered vulnerabilities should be tracked and provided to the development teams in order to conduct remediation in a timely manner.
A governance program is required to ensure that different teams utilize the scanning tools correctly. The software security touchpoints should be present within the software development life cycle (SDLC). SAST should be incorporated as part of the application development and deployment process.
The scanning results should be tracked to ensure that the critical or high priority issues identified by the tools are fixed before the application is deployed into production. Additionally, you can create language and framework-specific secure coding and remediation guidelines for common security vulnerabilities. This can be used as a resource for developers to refer to during the development phase, as well as for fixing vulnerabilities discovered by the tool.
Security training is a valuable way to keep development teams up to date on the most modern security knowledge. Targeted training can transform developers and development leads into security subject matter experts within their teams. They’ll become a go-to resource within the team when it comes to issue remediation, guiding the team toward a better security application security posture.
The integration of static analysis into the SDLC can yield dramatic results within the overall quality of the code developed. Another advantage of performing static analysis early in the application development process is that vulnerabilities in the code are discovered early, saving time and money. Combined with other software security touchpoints, SAST helps to improve the security and quality of deployed applications.
Sweta Deivanayagam is a Senior Security Consultant at Synopsys. She performs manual and automated penetration testing, code review, and architectural analysis for web applications, mobile applications, and thick client applications. She also creates and conducts training sessions on a variety of topics including defensive programming, and security testing for both web and mobile applications.