- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Static Application Security Testing (SAST) is also known as 'white box testing,' and allows software developers to spot vulnerabilities earlier in the Software Development Life cycle (SDLC). SAST is performed at the static (pre-production) level ensuring code guidelines are followed without actually executing the application. Static analysis solves agile development while ensuring secure deployment of code.
SAST tools examine the source code at rest to detect and report on potential security vulnerabilities. Manual (SAST) testing is more intrusive than automated (DAST) testing and may involve adding, altering, and deleting data within the application. If used correctly, static application security testing should reduce false positives and produce focused, actionable, and cost-effective results.
There are three basic types of SAST. These types are distinguished by what software code they analyze:
Specific code vulnerabilities can be detected and fixed much more quickly using SAST than later in the software development life cycle.
Testing earlier in the SDLC helps developers identify weak (unpatched) libraries and platforms while still in development, which allows fewer vulnerabilities to go live in production. The ability to automatically run a suite of unit, functional, and end-to-end tests lets developers keep their libraries up to date without spending hours of research to determine if a version change breaks application functionality.
Key benefits include:
Make sure you are: