Static Application Security Testing(SAST)

A method of analyzing application source code, bytecode, or binaries for security vulnerabilities without executing the program, typically integrated into the development workflow.

What Is SAST?

Static Application Security Testing (SAST). Also known as "white-box testing". Analyzes source code to find security vulnerabilities early in the development lifecycle. Unlike dynamic testing that requires a running application, SAST reviews code structure and logic to identify issues like SQL injection, cross-site scripting (XSS), buffer overflows, and insecure cryptographic usage.

How SAST Works

  1. Code parsing: Build a model of the application (abstract syntax tree, control flow graph, data flow graph)
  2. Analysis: Apply rules and patterns to detect security anti-patterns
  3. Taint analysis: Track untrusted input (e.g., user data) through the code to see if it reaches sensitive sinks (e.g., SQL queries) without sanitization
  4. Reporting: Generate findings with file location, severity, and remediation guidance

SAST in the Development Workflow

SAST integrates at multiple points:

  • IDE plugins. Real-time feedback as developers write code
  • Pre-commit hooks. Scan before code is committed
  • CI/CD pipelines. Automated scans on every pull request
  • Scheduled scans. Full repository scans on a regular cadence

SAST vs. DAST vs. SCA

| Technique | Tests | Requires Running App? | Finds | |---|---|---|---| | SAST | Source code | No | Code-level vulnerabilities | | DAST | Running application | Yes | Runtime vulnerabilities | | SCA | Dependencies | No | Known vulnerabilities in libraries | | IAST | Running app + code | Yes | Both code and runtime issues |

A mature AppSec program uses all of these techniques together.

Key Evaluation Criteria

  1. Language support. Coverage for your tech stack
  2. False positive rate. Accuracy of findings
  3. Speed. Scan time for your codebase
  4. Developer experience. Quality of remediation guidance, IDE integration
  5. CI/CD integration. Native support for your pipeline tools

Leading SAST Vendors

Major SAST tools include SonarQube, Checkmarx, Semgrep, Veracode, Snyk Code, GitHub Advanced Security (CodeQL), and Black Duck.

Related on CyberSecTool