Key Considerations When Choosing a SAST

We take a take a look at 11 key standards when selecting a static evaluation software for contemporary code

Photo by Caleb Jones on Unsplash

For corporations writing and sustaining software program at scale at present, SAST (Static Application Security Testing) has develop into a vital software for rising code safety and decreasing cyber threat. First-party code stays a frequent goal for assaults on all kinds of organizations, with attackers probing purposes continuously to search for weaknesses and vulnerabilities, recognized and unknown. All kinds of analyses have discovered that each the speed and severity of cyberattacks have been on the rise in recent times. For instance, ransomware assaults grew by 150% over the course of 2020, in response to one analysis examine whereas one other put the assault increase at 485% year-over-year. Organizations at the moment are usually paying seven and eight-figure ransoms to free their programs and knowledge from ransomware gangs. Attackers are additionally exploiting the window between when a vulnerability is introduced and when a patch is launched. This is why the CISA announced that each one crucial vulnerabilities should be patched inside two weeks on authorities programs, forcing software program corporations to produce patches inside this timeframe. In this hostile setting, discovering a SAST resolution that may reduce assault floor and simplify the writing and upkeep of safe code is crucial.

Definition: What is SAST

Static Application Security Testing (SAST) is a software or service that scans the supply or binary code of purposes. Classified as a “white-box” testing resolution, SAST searches for recognized vulnerabilities and safety flaws in code construction. Most SAST options additionally prioritizes vulnerabilities primarily based on perceived severity and recommends remediation steps. SAST instruments don’t analyze purposes in runtime; They carry out their evaluation on static code. SAST scans are normally run by software safety (AppSec) groups however are sometimes consumed by builders.

SAST can present line-of-coding fault and vulnerability evaluation, guiding builders to find vulnerabilities and rapidly repair code. In principle, this results in safer purposes with fewer safety flaws. In observe, some SAST instruments spotlight so many false positives that builders could ignore the output. In addition, some SAST instruments require hours to finish scans. This limits the flexibility of the software to maintain tempo with speedy versioning of purposes and releases of recent code a number of occasions per day. Most SAST programs so far function in a siloed trend alongside different software safety instruments like software program composition evaluation (SCA) for figuring out safety flaws in open supply software program, libraries, frameworks, and SDKs utilized in purposes alongside proprietary first-party code. This isolation means SAST can not analyze to see whether or not vulnerabilities or code flaws it finds truly current actual dangers to the applying.

Key Criteria to Consider When Choosing a SAST

When looking for a SAST resolution, there are a number of overlapping traits to weigh and probe.


The accuracy of a SAST software is maybe a very powerful consideration. SAST instruments that generate false positives at charges in extra of fifty% are creating an excessive amount of noise. This can show disruptive to improvement and AppSec groups by forcing them to validate every SAST discovering as a actual threat. A excessive charge of false positives may also make severity evaluation far much less related due to the chance that essentially the most extreme bugs can also have the very best false optimistic charges. On the opposite hand, SAST instruments that fail to detect actual vulnerabilities and code flaws create a false sense of safety that’s maybe much more troubling than too many false positives. To reduce false negatives and be certain that the newest recognized exploits and vulnerabilities are included into scans, a good SAST resolution should combine with a complete number of vulnerability databases and risk intelligence feeds. This integration is turning into extra vital because of the pace with which malware and ransomware assaults propagate at present throughout tightly networked enterprise environments.

Holistic Application Awareness

In trendy purposes, first-party code that SAST would scan is just a small piece of the know-how pie. As a lot as 70% or 80% of the code working in apps at present is open supply from third events. Most purposes additionally usher in quite a few APIs for numerous companies. Open supply libraries are bundled into packs to ship key performance with a single line of code, saving builders time they may have spent constructing and integrating a cost module or a GIS-handling system.

To be efficient, SAST should cooperate intently with the safety instruments used to validate and police these different components of the applying. Those different instruments embody Software Composition Analysis (SCA), linters that search for widespread formatting errors, secrets and techniques detection which search for inadvertently shared secrets and techniques, and container and cloud-native safety posture measurement platforms that take a look at whether or not these sorts elements are correctly secured. The finest SAST instruments can work along with these different instruments to compose a single view of customized and OSS code elements as a single software. The most refined safe coding platforms truly take inputs from a number of instruments with a number of viewpoints and create an intermediate abstraction layer. This layer successfully allows holistic evaluation and maps all of the related knowledge into a graph that accommodates dozens of aspects and allows extra correct assessments of which alerts are false positives or actual issues.

Ease of Use

How straightforward it’s for AppSec groups and builders to make use of a SAST resolution is crucial to adoption and realizing the safety worth of the know-how. When inspecting a SAST, you must run consumer exams with any potential customers to see how troublesome it’s for them to discover ways to navigate the interface. The staff’s suggestions is crucial right here. Another good query to ask is how lengthy it takes to configure the SAST software and the way troublesome it’s to make configuration modifications. In addition, a SAST software ought to reduce repetitive steps and provide easy-to-understand workflows. Modern SAST options provide helpful remediation steps to builders of their improvement workflows somewhat than forcing them to go to a second interface or to tug insights out of emails, Slack or different mediums.

If a SAST generates false positives, does it initially current them to builders and AppSec groups or is there a technique to curate and filter alerts in order to not overwhelm customers with noise? Above all, a key query is will the SAST software successfully shift straightforward and apparent fixes left or is it too sophisticated and solely helpful for the AppSec staff? If shifting these early safety fixes left in your group is vital, that is a crucial query. You can select to make your complete course of reactive, with the AppSec staff doing all detection work and transport required fixes again to the event groups. This tends to decelerate code velocity and enhance pointless technical safety debt. Fixing code as early as potential tends to have optimistic multiplier results for your complete code manufacturing and product improvement course of, decreasing infrastructure prices for CI/CD jobs and whereas rising total code high quality.

Language Coverage and Versatility

Another crucial consideration is whether or not the SAST software covers all of the languages that your improvement groups use. Obviously, it’s higher to have a single SAST software that may cowl all languages. This turns into extra of a consideration because the variety of languages in use in enterprises with a number of purposes continues to extend. Just as vital as which languages are lined is the standard of language protection. Many SAST instruments began life targeted on older languages and solely not too long ago added protection of newer languages like Go and Python. These older instruments could deal with the older languages, like Java and .Net, higher and generate fewer false positives towards these applied sciences whereas producing a far increased share of each false positives and false negatives towards newer languages.

Understanding the language protection roadmap of a SAST supplier can also be vital. If the corporate plans so as to add extra languages, how rapidly will this occur? And how lengthy would possibly it take the group so as to add new languages upon buyer request? Language roadmap and agility inform you a lot concerning the group, its imaginative and prescient, and the underlying functionality and agility of the software’s underlying know-how.

Speed of Scan

How lengthy it takes to run a scan could be extraordinarily vital. For instance, if a firm has a fast-changing code base and is transport new variations a number of occasions per day, then a SAST software that requires 3 to 4 hours to run a scan won’t be able to maintain up. By the time the alerts come again, then the builders might want to push the code into manufacturing; they gained’t have time to pursue modifications. This drawback could be exacerbated if a SAST can solely run on one or a handful of code repositories at any given time. Many trendy corporations have dozens and even 1000’s of purposes, every residing in their very own repositories. So the flexibility of a SAST to run parallel scans at scale, and achieve this rapidly, can develop into crucial to getting essentially the most profit from the software. In addition, if you wish to actually shift code safety fixes left and encourage first-class safe improvement practices, then particular person builders and small groups should be capable to invoke a SAST scan at any time when they want or need. Anything much less would discourage these groups from counting on SAST as a part of their improvement course of.

Tuning, Set Up and Maintenance

Closely tied to ease of use are the issues of tuning, arrange and upkeep. Longer tuning and configuration intervals, typically lasting six months or extra, can imply a longer ramp to manufacturing. Long tuning and config occasions additionally have a tendency to point better complexity and a extra brittle software that doesn’t deal with extra dynamic improvement patterns and high-velocity code landings.

When contemplating a SAST, upkeep necessities ought to issue into consideration of total-cost-of-ownership. Some SAST programs require a close to full-time worker to take care of and function. Others are easier and could be simply dealt with by current assets on an AppSec staff. There additionally could also be a vary of supply sorts. A real SaaS has zero infrastructure or knowledge transport and storage prices outdoors of the core product. Hosted SaaS, which is rising in recognition, could require the enterprise to pay for on-prem or cloud capability in a devoted server. Some are providing a hybrid model of the 2. The upshot? Make certain you perceive precisely what supply mannequin your SAST implementation can have and all of the related prices and upkeep necessities.

Alongside upkeep necessities, you will need to ask what kinds of supporting applied sciences are required. For instance, a SAST that covers .NET code and focuses totally on Windows purposes could require SQLServer to retailer outcomes. This can add each license and storage {hardware} or software program prices to the equation.

Product Evolution and Velocity

Seeing how rapidly a SAST resolution is including new options and performance tells you a lot concerning the metabolism and responsiveness of the SAST supplier and its staff. Seeing speedy additions of recent options and capabilities is usually a optimistic signal. Similarly, if a SAST software has quickly expanded language protection, then this means that the tempo of recent language protection is prone to proceed, which gives you extra future optionality in language alternative. A slower tempo of change may not solely replicate organizational metabolism but additionally the age and nature of the underlying SAST know-how. Legacy SAST merchandise written primarily as monoliths in older languages could require significantly extra time to check modifications because of the tight couplings of inner programs and decrease tolerance for failure of any single part. While sluggish characteristic and language evolution could point out warning and care in crafting sturdy code or bettering the consumer expertise, as a rule quicker is healthier and extra applicable to trendy software program improvement the place groups can choose their very own languages, instruments and improvement environments.

Required Infrastructure Footprint

The infrastructure necessities of a SAST software are vital each for value and operational issues. If a SAST can solely run on-premise or on bodily {hardware}, then the extra value of this {hardware} — and scaling to N+1 or N+2 protection — should be taken into consideration. In addition, if SAST is tied to bodily {hardware}. You must also contemplate each the required compute capability of the servers and storage necessities. If the SAST software can run in a cloud or hybrid setting, then {hardware} prices could also be much less of a problem. However, if the SAST requires a very giant cloud occasion, this could rapidly value greater than bodily {hardware}. Another key consideration is whether or not the SAST can function in a distributed configuration and setting. This could also be helpful if you wish to present increased availability and resilience, and help a number of improvement groups in several geographic places. Some of the newer SAST choices are literally SaaS merchandise, requiring no upkeep by the purchasers. The excessive simplicity of SaaS can include threat to safety if the SAST vendor should take your supply code off of your servers so as to carry out a scan.

API Structure and Ease of Integration

To be efficient, a SAST resolution ought to make its knowledge and findings broadly accessible to different programs. Ideally, a SAST resolution ought to have a broad set of pre-baked integrations with CI/CD instruments, model management and code repositories, and different AppSec, DevOps, or DevEx instruments. For auditing and ease of ingestion into different programs of document resembling ERP, SIEM, or SOAR, output codecs are vital to think about. JSON is a widespread and helpful output that many databases and know-how programs work with. Legacy SAST instruments should output XML or different dated kinds of feeds. This can imply extra integration and customization work is required, potential even an intermediate ETL layer to maneuver SAST knowledge into extra trendy programs of document resembling Key Value Stores or indexing programs like Elastic.

Pricing Model

Naturally, you must perceive how a lot SAST will value. This can simply vary from nothing for open supply SAST instruments to seven-figure annual contracts for bigger proprietary SAST programs. Different fashions of pricing that a supplier would possibly invoke embody: value per scan, value per seat or consumer, value per server or core, or value per line of code scanned. To be certain that you finances correctly and perceive the associated fee/good thing about a SAST software, create a easy mannequin primarily based on the pricing system and conservatively estimate utilization and throughput, together with concurrency. Equally vital, perceive how prices would possibly change as utilization or the variety of customers develop. There is perhaps quantity reductions or, conversely, there is perhaps value triggers or per-feature prices that may add up.

Conclusion: Choose Wisely Because A SAST Is A Commitment

By now you in all probability notice that choosing a SAST software is a undertaking that requires appreciable analysis and modeling. It is perhaps laborious to acknowledge which SAST resolution is correct in your group however you must be capable to use this information to construct a guidelines to make your determination course of extra goal and systematic. SAST remorse is a unhappy factor. Ripping a SAST out of your DevOps stack as a result of it doesn’t work as marketed is disruptive and time-consuming. The excellent news? Modern SAST instruments are quickly bettering and reaching characteristic parity with legacy programs. Because they’re constructed as cloud-native or API-driven programs, the newer SAST programs are additionally simpler to deploy and combine, with much less threat of failure and fewer draw back do you have to resolve to modify to a different software. SAST is shifting left with the occasions, and if correctly deployed and built-in, a trendy SAST software can elevate your shift left safety efforts whereas enabling you to ship safer code, quicker.

To take a risk-free take a look at a trendy SAST software, create a free account for ShiftLeft CORE at with demo apps obtainable for eight languages.

Key Considerations When Choosing a SAST was initially printed in ShiftLeft Blog on Medium, the place persons are persevering with the dialog by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated weblog from ShiftLeft Blog – Medium authored by The ShiftLeft Team. Read the unique publish at:—-86a4f941c7da—4

Related Posts