Many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). SAST (static application security testing) searches for security defects in application source code.
Join the DZone community and get the full member experience. Vulnerabilities produce enormous reputational and financial risks. As a result, many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we’re going to discuss SAST — one of the SSDLC components. SAST (static application security testing) searches for security defects in application source code. SAST examines the code for potential vulnerabilities — possible SQL injections, XSS, SSRF, data encryption issues, etc. These vulnerabilities are included in OWASP Top 10, CWE Top 25, and other lists. Before we discuss why to integrate SAST in a DevSecOps pipeline, let me draw your attention to several facts. Estimating the number of vulnerabilities found yearly is enough to look at the CVE (Common Vulnerabilities and Exposures) statistics. The graph below shows the number of vulnerabilities found from 2017 to 2021. The data is provided by National Vulnerability Database (NVD). Here are 2 facts: By the way, at the time of writing the article in 2022, more than 5 thousand vulnerabilities have already been found. Remember that vulnerabilities can exist for years before they become publicly known. Take at least the sensational Log4Shell (CVE-2021-44228) disclosed 8 years after its appearance. Attackers can exploit a hidden vulnerability until it is discovered — as a result, the business is losing money. What must be done? Use complex approaches and tools that will allow you to detect as many security defects as possible. Here’s what IBM System Science Institute reports about the relative cost of fixing the vulnerability: Vulnerabilities found after the release are 15 times more expensive than those discovered at the development stage. Moreover, they are 100 times more costly than vulnerabilities found at the design stage. Different sources present this graph slightly differently. However, the overall statistics are the same: defects found later are more expensive to fix. Absolute values depend heavily on how critical the vulnerability is, how complex it is to patch vulnerable components, etc. Vulnerabilities, as errors, can cost thousands, hundreds of thousands, or even millions of dollars. Remember the launch of Ariane 5? The failure losses vary from $360,000,000 to $500,000,000. Or the story of the Polygon Plasma Bridge vulnerability with almost $850,000,000 at risk. What must be done? Use tools and approaches that help to detect security defects as early as possible. Let your team improve their skills. Shift-left is a practice intended to perform testing early in the software development life cycle. That is, testing on the project’s timeline should shift to the left — closer to the beginning. One of the advantages of static analysis is early defect detection.