How to choose Static Application Security Testing (SAST) Tool

How to choose Static Application Security Testing (SAST) Tool

Application Security Testing got three core set of technology vendor, whether focus on Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) or Interactive Application Security Testing (IAST) as the solution for target user group.

So far nope of any vendor can claim single product can address three core result area, the most is want you to buy sister product or complementary product (so, it is not single product).

To be specific, the topic focus on Static Application Security Testing (SAST), where heavy use by Development Team.

The market have range of offering, whether open source or commercial source offering. Since open source is depend on the user for adopt to it and for self /community support, we focus our topic on commercial tool, since they are paid tool and involved financial investment, we want to share some insight how to choose Static Application Security Testing (SAST) tool.

Despite recent years have more and more security team personnel is interest on the SAST, most of them lack one pre condition competency to master it well – the fundamental programming skill set, whether on Java, C/C++, .Net and the rest.

The great tool appreciate by programmer and developer, may or may not be the right tool for security officer, mainly due to core competency require to understanding the programming code. If you do not understanding the code, how can you study it and attempt to perform secure code review? purely depend on the automated tool and not programming language at all? you can imagine how the report will look like and whether or not can be answer developer question on the report founding.

As you can see, despite now days more and more commercial vendor attempt to market their product cross platform, can cover all the language, you will notice, truly development team will not really excite about it, since they are practice the one or very platform technology only. If you ask them to buy SAST tool claim to support 10 language, it will be nice to have, if that not their money. But in reality, they are maybe just focus on one platform only, in that scenario, specific SAST focus on platform will be more relevance and more importantly, cost much lower and more to the point platform support. It is much more easy to understand and use as well.

Do not get us wrong, we do not against universal static application security testing tool, it have it appeal market, in the matter of fact, we supply it too for some segment of the customers. We are focus on the perspective for development team, who need to use the development tool for not just static code analysis, but perform functionality, load, run time memory error testing as well to make sure the quality of the application, beyond application security testing only.

Once you develop the right perspective, you will much more easy to balance security and development team requirement. On top of it, remember for the rise of application vulnerability correlation (AVC) technology. Security team can keep using their dynamic application security testing tool (DAST), and let development team use their platform specific and more advanced static application security testing tool (SAST). Share the result in the Application Vulnerability Correlation (AVC) platform, dashboard and report to provide unified vulnerability management for the holistic view.

Another more costly and convention approach is invested on the enterprise grade solution, cover end to end and force all users to use the integrated solution.

Technology keep advancing in fast pace, you will notice those purpose built or platform specific tool will be update and upgrade in more fast speed compare with integrated tools.

One last area most of enterprise will forgot to invest on is the secure code review competency training for developer or security officer. It need to be competency specific and may not be product specific. One of the best way to acquire it is to subscribe for the computer based interactive training (CBT) that specific develop for the target competency area, such as secure code review for .Net, C/C++, Java and the rest.

If you have case specific question please feel free to contact E-SPIN for your case and requirement.  Whether on the dynamic or static application security testing tool or security testing, secure code review competency based CBT training program.