Static application security testing

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

Unlike dynamic application security testing (DAST) tools for black-box testing of application functionality, SAST tools focus on the code content of the application, white-box testing. A SAST tool scans the source code of applications and its components to identify potential security vulnerabilities in their software and architecture. Static analysis tools can detect an estimated 50% of existing security vulnerabilities.^[1]

In the software development life cycle (SDLC), SAST is performed early in the development process and at code level, and also when all pieces of code and components are put together in a consistent testing environment. SAST is also used for software quality assurance,^[2] even if the many resulting false-positive impede its adoption by developers^[3]

SAST tools are integrated into the development process to help development teams as they are primarily focusing on developing and delivering software respecting requested specifications.^[4] SAST tools, like other security tools, focus on reducing the risk of downtime of applications or that private information stored in applications will not be compromised.

For the year of 2018, the Privacy Rights Clearinghouse database^[5] shows that more than 612 million records have been compromised by hacking.

^ Okun, V.; Guthrie, W. F.; Gaucher, H.; Black, P. E. (October 2007). "Effect of static analysis tools on software security: preliminary investigation" (PDF). Proceedings of the 2007 ACM Workshop on Quality of Protection. ACM: 1–5. doi:10.1145/1314257.1314260. S2CID 6663970.
^ Ayewah, N.; Hovemeyer, D.; Morgenthaler, J.D.; Penix, J.; Pugh, W. (September 2008). "Using static analysis to find bugs". IEEE Software. 25 (5). IEEE: 22–29. doi:10.1109/MS.2008.130. S2CID 20646690.
^ Johnson, Brittany; Song, Yooki; Murphy-Hill, Emerson; Bowdidge, Robert (May 2013). "Why don't software developers use static analysis tools to find bug". ICSE '13 Proceedings of the 2013 International Conference on Software Engineering: 672–681. ISBN 978-1-4673-3076-3.
^ Oyetoyan, Tosin Daniel; Milosheska, Bisera; Grini, Mari (May 2018). "Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital". International Conference on Agile Software Development. Springer: 86–103.
^ "Data Breaches | Privacy Rights Clearinghouse". privacyrights.org.

[1] Okun, V.; Guthrie, W. F.; Gaucher, H.; Black, P. E. (October 2007). "Effect of static analysis tools on software security: preliminary investigation" (PDF). Proceedings of the 2007 ACM Workshop on Quality of Protection. ACM: 1–5. doi:10.1145/1314257.1314260. S2CID 6663970.

[2] Ayewah, N.; Hovemeyer, D.; Morgenthaler, J.D.; Penix, J.; Pugh, W. (September 2008). "Using static analysis to find bugs". IEEE Software. 25 (5). IEEE: 22–29. doi:10.1109/MS.2008.130. S2CID 20646690.

[ReferenceA-3] Johnson, Brittany; Song, Yooki; Murphy-Hill, Emerson; Bowdidge, Robert (May 2013). "Why don't software developers use static analysis tools to find bug". ICSE '13 Proceedings of the 2013 International Conference on Software Engineering: 672–681. ISBN 978-1-4673-3076-3.

[auto-4] Oyetoyan, Tosin Daniel; Milosheska, Bisera; Grini, Mari (May 2018). "Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital". International Conference on Agile Software Development. Springer: 86–103.

[5] "Data Breaches | Privacy Rights Clearinghouse". privacyrights.org.

[1]

[2]

[3]

[4]

[5]