Home How To Weighing the Pros and Cons of Static Application Security Testing

Weighing the Pros and Cons of Static Application Security Testing

by Mic Johnson

Find out if you should use SAST in your project

In 2017, The Open Web Application Security Project (OWASP) released a report on the Top 10 most critical web application and API security risks faced by the developers worldwide. For your information, OWASP is a

  • … non-profit organization that aims to improve the security of software applications. As of 2020, it has hundreds of open-source projects and resources which educates the developers on the A-Z of secure applications.

Since then, the community behind OWASP continues updating the report based on the test conducted by the security experts from all over the world on an annual basis.

As of October 2020, the current list is as follows:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components With Known Vulnerabilities
  10. Insufficient Logging and Monitoring

You will notice that the majority of the vulnerabilities listed are commonly found in web applications. There are quite a number of ways to tackle this issue. In this tutorial, I am going to explain about static analysis which is also known as static application security testing.


Static application security testing (SAST) is a type of testing method that analyzes the underlying source code and binaries in order to identify potential vulnerabilities related to security. Since it requires access to your source code, you can think of it as a white-box testing method aims to improve the security of your application. 

Most of the time, you will use a specialized SAST software which scan and analyze the underlying source code of your application. Once the scan is completed, you should have a comprehensive report on the overall vulnerabilities found in your application and the exact lines of the code which should be modified.

Applying SAST on your project helps to reduce the vulnerabilities of your application. However, it also comes with some drawbacks in which you should take into considerations. Let’s have a look at the advantages and disadvantages of SAST.



One of the biggest advantage of SAST is automation. You will be able to free up quite a substantial amount of development time on identifying and testing security bugs manually. Most of the SAST software can be automated easily. All you need to do is setup the desired configuration and run it.

Instead of spending hours manually checking the code, you can simply automate the process with SAST software and wait for the result. Once the scan is completed, developers can start fixing the security bugs based on the generated report.

Early Detection

SAST is meant to be conducted at the early stage of your development before the code is compiled for production. Being able to identify the problems earlier is extremely valuable. You definitely do not want to spend hours fixing security issues after releasing it to your clients.

Fast and Accurate

Most of the SAST software in the market are well established. You can easily integrate it into your project. The analyzing process is fast and can accurately identify most of the common security vulnerabilities. 

Besides, SAST applications are often updated to comply with the latest security vulnerabilities. With SAST, your priorities as a developer is to fix security bugs rather than identifying them.

Develop Secure Coding

SAST also helps to instill a sense of strong secure coding practice among the developers. During the first scan, the team will be able to uncover lots of potential security risks in your code. Subsequently, most of the developers are now quite familiar with the problems in their code and the proper way to fix them.


Having said that, SAST also comes with the following disadvantages:

False Sense of Security

Regardless of which SAST tools that you use, it is not possible to cover all security vulnerabilities. On top of that, developers still need to check their code for logical vulnerabilities and configuration issues. 

Overrelying on SAST might provide a false sense of security among the developers. The team should not to let their guard down even if their code was found to be safe and secure as false negative might happen.

False Positives

False positives might happens from time to time. As a result, the team has to spend extra time fixing problems that do not exist. It can put a dent on the development process and morale of the developers. They might be reluctant to use it again in the future.


Let’s recap what we have learned today.

We started off with a simple problem statement on the top 10 security risks based on the report provided by OWASP.

Next, we explored on the fundamental concepts behind static application security testing (SAST).

Finally, we learned about the advantages and disadvantages of applying SAST in your project.

Thanks for reading this piece. Hope to see you again in the next article!


  1. What are the OWASP Top 10
  2. 3 Static Application Security Testing advantages (SAST) You Should Know
  3. Static Application Security Testing: SAST Basics

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid