Static Application Security Testing: Challenges and Benefits

In 2010, Ponemon Institute conducted a study to better understand the risk of insecure websites. Sponsored by Imperva and WhiteHat Security, the study showed that despite having increasing numbers of mission-critical applications accessible via their websites,

many organizations were failing to secure and protect them. This was particularly alarming given that the web application layer was, and continues to be, the number one attack target of hackers.

Fast forward to 2016 and let’s ask ourselves if things are better or worse. Is web application security still a serious issue, and what tools do we have in our arsenal to address it?

When it comes to application security testing, these are the two most commonly used approaches:

• Static application security testing (SAST), which is a set of technologies designed to analyze application source code, byte code, and binaries from the “inside out” in a non-running state
• Dynamic Application Security Testing (DAST), which takes place while the application is running and tries to penetrate it “from the outside in” to identify potential vulnerabilities, including those outside the code and in third-party interfaces

The Power of Static Application Security Testing

Because static application security testing tools are used early in the development process, they can expose weaknesses before software is deployed. 

These tools test the source code, or the binaries line by line. They detect flaws and give you the chance to fix them before they become a true vulnerability for your organization. 

Prevent vulnerabilities in the code before you launch, and you'll have a much more secure application.

The Challenges of Static Application Security Testing

Although SAST can be very effective, it comes with its own set of challenges:

• SAST tools tend to be complex, difficult to use, and unable to work well together.
• It requires access to source code, or binaries, which some organizations or individuals might not want to give up to application testers.
• It usually needs to be integrated into the systems development lifecycle to detect vulnerabilities before deployment into the live environment, which can make it difficult to implement.
• Each SAST tool tends to only focus on a subset of potential weaknesses.
• It can't identify vulnerabilities outside the application’s code, such as those defects that might be found in third-party interfaces.

The Benefits of Static Application Security Testing

Despite the above-mentioned challenges, the benefits of static application security testing usually far outweigh the costs. 

They include: 

• The ability to detect highly complex vulnerabilities that are not visible without access to the source code.
• The ability to tell you the precise location of any flaw in the source code, including the line number, which greatly simplifies remediation and managing false positives.
• The ability to provide a valuable framework during application development to detect weaknesses before they become security risks for your end users and your organization.  

Static Security Application Testing Best Practices

There are of course right and wrong ways to use static application security testing, and there are certain practices that will set you up for success. 

Make sure you are:

• Building security into the software-development lifecycle, so that you are finding and fixing vulnerabilities early.
• Testing your source code within your own environment, so there is no need to upload source code or binaries to a new location.
• Using Software Composition Analysis and ready-to-implement code fixes, whenever possible.
• Scanning binary files for certain languages, as needed.
• Ensuring integrations to key developer tools and support for CI/CD processes.

Selecting the Right Tool

One of the biggest challenges in using SAST is the number of false positives generated, as well as the inability to test applications in the real environment where third-party code, application logic, or an insecure configuration may introduce serious vulnerabilities.

When selecting the right SAST tool, look for one that:

• Can scan source code for the most commonly used programming languages.
• Will identify weaknesses.
• Can provide thorough and actionable vulnerability reports. 

Used correctly, static application security testing should be able to reduce false positives and produce results that are focused, actionable, and cost effective. 

Want to learn more about application security testing? Click here to read our white paper, Application Security Testing as a Foundation for Secure DevOps. 

whitehatsec.com