Find out if you should use SAST in your project
In 2017, The Open Web Application Security Project (OWASP) released a report on the Top 10 most critical web application and API security risks faced by the developers worldwide. For your information, OWASP is a
- … non-profit organization that aims to improve the security of software applications. As of 2020, it has hundreds of open-source projects and resources which educates the developers on the A-Z of secure applications.
Since then, the community behind OWASP continues updating the report based on the test conducted by the security experts from all over the world on an annual basis.
As of October 2020, the current list is as follows:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components With Known Vulnerabilities
- Insufficient Logging and Monitoring
You will notice that the majority of the vulnerabilities listed are commonly found in web applications. There are quite a number of ways to tackle this issue. In this tutorial, I am going to explain about static analysis which is also known as static application security testing.
Static application security testing (SAST) is a type of testing method that analyzes the underlying source code and binaries in order to identify potential vulnerabilities related to security. Since it requires access to your source code, you can think of it as a white-box testing method aims to improve the security of your application.
Most of the time, you will use a specialized SAST software which scan and analyze the underlying source code of your application. Once the scan is completed, you should have a comprehensive report on the overall vulnerabilities found in your application and the exact lines of the code which should be modified.
Applying SAST on your project helps to reduce the vulnerabilities of your application. However, it also comes with some drawbacks in which you should take into considerations. Let’s have a look at the advantages and disadvantages of SAST.
One of the biggest advantage of SAST is automation. You will be able to free up quite a substantial amount of development time on identifying and testing security bugs manually. Most of the SAST software can be automated easily. All you need to do is setup the desired configuration and run it.
Instead of spending hours manually checking the code, you can simply automate the process with SAST software and wait for the result. Once the scan is completed, developers can start fixing the security bugs based on the generated report.
SAST is meant to be conducted at the early stage of your development before the code is compiled for production. Being able to identify the problems earlier is extremely valuable. You definitely do not want to spend hours fixing security issues after releasing it to your clients.
Fast and Accurate
Most of the SAST software in the market are well established. You can easily integrate it into your project. The analyzing process is fast and can accurately identify most of the common security vulnerabilities.
Besides, SAST applications are often updated to comply with the latest security vulnerabilities. With SAST, your priorities as a developer is to fix security bugs rather than identifying them.
Develop Secure Coding
SAST also helps to instill a sense of strong secure coding practice among the developers. During the first scan, the team will be able to uncover lots of potential security risks in your code. Subsequently, most of the developers are now quite familiar with the problems in their code and the proper way to fix them.
Having said that, SAST also comes with the following disadvantages:
False Sense of Security
Regardless of which SAST tools that you use, it is not possible to cover all security vulnerabilities. On top of that, developers still need to check their code for logical vulnerabilities and configuration issues.
Overrelying on SAST might provide a false sense of security among the developers. The team should not to let their guard down even if their code was found to be safe and secure as false negative might happen.
False positives might happens from time to time. As a result, the team has to spend extra time fixing problems that do not exist. It can put a dent on the development process and morale of the developers. They might be reluctant to use it again in the future.
Let’s recap what we have learned today.
We started off with a simple problem statement on the top 10 security risks based on the report provided by OWASP.
Next, we explored on the fundamental concepts behind static application security testing (SAST).
Finally, we learned about the advantages and disadvantages of applying SAST in your project.
Thanks for reading this piece. Hope to see you again in the next article!