There are several techniques for identifying vulnerabilities in software and systems that smart organizations place in their “security toolbox” and use a combination of various testing tools, including:

  • Static Analysis Safety Testing (SAST)
  • Dynamic Analysis Safety Testing (DAST)
  • Source Component Analysis (SCA)
  • Vulnerability scanner
  • Penetration testing

The motivation for improving security with automated tools is to move the software development life cycle (SDLC) to the left of identifying and fixing vulnerabilities early. As the application nears release, fixes and remedies become more complex. Figure 1 shows how the cost of fixing bugs increases dramatically as the SDLC progresses.

Figure 1: As the SDLC progresses, the cost of fixing bugs increases.

For an in-depth look at the economics of software security, see the White paper the Business Value of Secure Software. This article focuses on static analysis of security testing as part of an organization’s security practice.

Static analysis security testing

The SAST tool does not require a running application, so it can be used early in the development life cycle because the repair costs are low. At its most basic level, SAST works by analyzing source code and checking it against a set of rules. SAST tools are often associated with identifying vulnerabilities, providing early warnings to developers about poor coding patterns that lead to vulnerabilities, violations of secure coding policies, or lack of conformance to engineering standards, resulting in unstable or unreliable functionality.

There are two main types of analysis used to identify security issues.

  • Flow analysis
  • Pattern analysis

Flow analysis

In flow analysis, the tool analyzes the source code to understand the underlying control flow and data flow of the code.

Figure 2: Static analysis security testing — flow analysis

The result is an intermediate representation, or model, of the application. These tools run rules or checkers against the model to identify coding errors that lead to security holes. For example, in a C or C++ application, a rule might recognize a copy of a string and then iterate over the model to determine whether the source buffer might be larger than the target buffer. If so, this can lead to buffer overflow vulnerabilities.

Pattern analysis

Avoiding certain constructs in safety-critical code is the foundation of modern software engineering standards such as AUTOSAR C++14, MISRA C 2012, and Joint Strike Fighter (JSF). These standards protect against the possibility of misreading, misunderstanding, or incorrectly implementing unreliable code.

Pattern analysis can help developers use more secure subsets of development languages in the context of security or security, disallowing code constructs that allow vulnerabilities to occur in the first place. Some rules can be checked for errors by checking grammar, like a spell checker in a word processor. Some modern tools can detect subtle patterns associated with poor coding structures.

The advantage of SAST

Each test method has its advantages. Many organizations focus too much on DAST and penetration testing. But using SAST has several advantages over other testing techniques.

Code coverage

The amount of code tested is a key indicator of software security. Vulnerabilities can exist in any part of the code base, and untested parts can expose an application to attack.

SAST tools, especially those that use pattern analysis rules, can provide much higher code coverage than dynamic techniques or manual processes. They have access to the application’s source code and the application’s input, including hidden input that is not exposed in the user interface.

Root cause analysis

SAST tools facilitate efficient remediation of vulnerabilities. Static analysis security tests can easily identify the exact lines of code that introduce errors. Integration with the developer’s INTEGRATED development environment can speed up the remedy of errors found by SAST tools.

Improve the skills

When developers use the SAST tool in the IDE, they receive immediate feedback on their code. This data can reinforce and educate them about secure coding practices.

Operational efficiency

Developers use static analysis early in the development life cycle, including analyzing individual files directly from the IDE. Finding errors early in the SDLC greatly reduces the cost of remediation. It prevents errors from happening in the first place, so developers don’t have to find and fix them later.

How to get the most out of SAST

SAST is a comprehensive testing approach that does require some initial effort and motivation to successfully adopt it.

Deploy SAST as early as possible

While teams can use SAST tools early in the SDLC, some organizations choose to defer analysis until the testing phase. Even though analyzing a more complete application can do data flow analysis between programs, using SAST to “move left” and analyze code directly from the IDE can find vulnerabilities, such as input validation errors. It also allows developers to make simple fixes before committing code to build. This helps avoid late periodic security changes.

Use SAST in agile and CI/CD pipelines

SAST analysis is misunderstood. Many teams find it time-consuming because it involves in-depth analysis of the source code for the entire project. This may lead organizations to believe that SAST is incompatible with rapid development methodologies, which is unwarranted. The results of static analysis security tests are almost instantaneous and available in the developer’s IDE, providing immediate feedback and ensuring vulnerability avoidance. Modern SAST tools perform incremental analysis, looking only at the results of code that changes between two different builds.

Handle noisy results

Traditional static analysis security testing tools typically include many “informational” results and low severity issues around correct coding standards. Modern tools, such as those provided by Parasoft, allow users to choose which rules/checkers to use and filter results based on the severity of the error, hiding results that are not worth investigating. Many security standards from OWASP, CWE, CERT, etc have risk models that help identify the most important vulnerabilities. Your SAST tool should use this information to help you focus on what’s most important. Users can filter discoveries based on additional background information, such as the project’s metadata, the age of the code, and the developer or team responsible for the code. Tools like Parasoft offer to use this information with artificial intelligence (AI) and machine learning (ML) to help further identify the most critical issues.

Focus on developers

Successful deployments are often developer-centric. They provide the tools and guidance developers need to build security into their software. This is important in agile and DevOps/DevSecOps environments where quick feedback is critical to maintaining speed. IDE integration allows security testing to be done directly from the developer’s work environment — at the file level, project level, or just evaluating code that has changed.

Configure using intelligent rules

When analyzing software security issues, one size does not fit all organizations. It is important that rules/checkers address specific issues that are critical to a particular application. Organizations that are just beginning to test security may want to limit their rules to the most common security issues, such as cross-site scripting and SQL injection. Other organizations have specific security requirements based on regulations such as PCI DSS. Look for solutions that allow controlled rule/inspector configurations that fit your specific needs, rather than generic configurations.

Prevention is better than discovery

Build security into your application. This is much more effective than securing the application by putting safety bolts on the finished application at the end of the SDLC. Just like you can’t test quality in an application, the same is true for security. SAST is key to early detection, preventing security breaches by writing secure code from the start.

SAST tools enable organizations to embrace software security from the early stages of development and provide their software engineers with the tools and guidance they need to build secure software.