Static Application Security Testing: Challenges and Benefits
In 2010, Ponemon Institute conducted a study to better understand the risk of insecure websites. Sponsored by Imperva and WhiteHat Security, the study showed that despite having increasing numbers of mission-critical applications accessible via their websites, many organizations were failing to secure and protect them. This was particularly alarming given that the web application layer was, and continues to be, the number one attack target of hackers.
Fast forward to 2016 and let’s ask ourselves if things are better or worse. Is web application security still a serious issue, and what tools do we have in our arsenal to address it?
When it comes to application security testing, these are the two most commonly used approaches:
Static application security testing (SAST), which is a set of technologies designed to analyze application source code, byte code, and binaries from the “inside out” in a non-running state
Dynamic Application Security Testing(DAST), which takes place while the application is running and tries to penetrate it “from the outside in” to identify potential vulnerabilities, including those outside the code and in third-party interfaces
The Power of Static Application Security Testing
Because static application security testing tools are used early in the development process, they can expose weaknesses before software is deployed.
These tools test the source code, or the binaries line by line. They detect flaws and give you the chance to fix them before they become a true vulnerability for your organization.
Scanning binary files for certain languages, as needed.
Ensuring integrations to key developer tools and support for CI/CD processes.
Selecting the Right Tool
One of the biggest challenges in using SAST is the number of false positives generated, as well as the inability to test applications in the real environment where third-party code, application logic, or an insecure configuration may introduce serious vulnerabilities.
When selecting the right SAST tool, look for one that:
Can scan source code for the most commonly used programming languages.
Will identify weaknesses.
Can provide thorough and actionable vulnerability reports.
Used correctly, static application security testing should be able to reduce false positives and produce results that are focused, actionable, and cost effective.
Want to learn more about application security testing? Click here to read our white paper, Application Security Testing as a Foundation for Secure DevOps.