What you can't find with a SAST tool

by SAST, I mean Static Application Security Tool.

Shi

CI/CD/DevOps

· ~2 min read · April 23, 2022 (Updated: April 30, 2022) · Free: No

A lot of configuration issues yes, in general, SAST tools (especially commercial ones) do provide lot of built-in checkers (rules) to find configuration related issues from source, for example, hard-coded credentials, database password stored in plain text, unsecured default spring configurations, however, the limitation are also obvious — many configurations are simply not done from the source , so a static scan over the complete source code still will not surface those.

Known vulnerabilities in the dependencies first, a lot of dependencies are introduced to the program in form of native binaries, and SAST couldn't trace the function calls into those binaries and analyze the logic thoroughly; and, even for those dependencies added to the program in source or managed binaries form (for example, java JARs and managed .net DLLs), a known vulnerability doesn't always equal to a programming defect. You need a SCA (software composition analysis) tool to manage such.

License issue yes, even though license issues often get less or no attention from developers and even security auditor, it is a common a issue for commercial software development, whether you release your software with a installer or docker image or as a service; in short, open source doesn't mean free, and SaaS doesn't mean you could do whatever on your server side.

A lot of security issues related to operation environment many issues can only be validated when the deployment environment are taken into consideration. For example, certain issues are only exploitable in JDK 6 or older Apache Tomcat, in such cases, SAST would suffer from either false positive or false negative.

Unknown/Hardware vulnerabilities in the past few years, you heard more and more about hardware hacks like side channel attack on memory, meltdown/ spectre for CPU; even though SAST solutions might provide checkers to find vulnerable code patterns, it is generally created by post-mortem analysis rather than preliminary research.

Coding conventions by this, I mean, even though SAST tool is more than capable to implement strict coding standards like MISRA, CERT-C, etc; it may or may not be the best choice for you to enforce simple coding conventions like naming convention (upper case, lower case, Hungarian notation, etc), indent rules, etc; the reason is very simple, different language, different companies all have their own "conventions".

so what exactly can SAST help you to find?

— OWASP top 10

— OWASP mobile top 10

— memory leak

— concurrency

— buffer overflow

— MISRA

— CERT-C

— CERT-Java

— Configuration issues

— hard coded credentials

— RISKY CRYPTO

— many many more

#sast #static-code-analysis #application-security #web-application-security

What you can't find with a SAST tool

by SAST, I mean Static Application Security Tool.

Reporting a Problem