SAST tooling: Our experience

As part of our internal process, we continuously review the tools we use to make sure they fulfil our needs, to check if we are missing great new features, if the tools are accurate enough, and if we can properly automate parts of our process. This process also includes the Static Application Security Testing (SAST) tools we use in our Security Assessments.

In addition, we have implemented an application – for educational purposes – that contains a large number of security issues, hereafter called the vulnerable application. The vulnerable application contains issues based on the OWASP Top 10, the CWE Top 25 and security issues we have seen in software solutions for multiple customers. The code base’s main use is to create awareness and train developers and testers to identify issues themselves. The code base contains over 53 security issues at the moment of writing.

We used the vulnerable application to get a good understanding of the rate at which SAST tooling can detect security issues. We had the SAST tooling identify as many security issues as possible. Across a total of four different SAST providers, the tools were able to identify an average of 9 security issues (excluding false positives) that would be added to a report. These issues regarded secrets left in code, configuration issues and injection.

This gives a good insight into the challenge of identifying security issues within applications. Many security issues are considered an issue in the context of the application. For example, an automated tool will never be able to know if an endpoint should only be accessible to administrators or should be public, this requires domain knowledge. In addition to the required domain knowledge, the complexity of security issues can vary greatly. SAST tooling is good at exposing simpler issues but still has room for improvement regarding complex issues that require context. This is not to blame anyone, because even trained professionals might require considerate time before they identify the issue, or even completely miss an issue. This is why zero-day vulnerabilities – a vulnerability that has been present since the first release – exist.

With the current state of automated security tooling, the use of such tooling might create a false sense of security. In a worst-case scenario, the application is considered secure, but data is continuously leaked and malicious actors can gain access to the company’s servers. This does not mean that automated tooling should not be used; the opposite is true. They will continuously help you identify issues and improve the security of your applications.

However, to make sure you are as secure as possible, it is important to perform regular manual security assessments. Currently, the knowledge of security experts is still irreplaceable.

New SAST tooling powered by Artificial Intelligence offers good hope for the future that they will start identifying more and more security issues. AI has the power to understand context, which will help tremendously in identifying security issues. The first studies on identifying and exploiting security issues using AI have already shown that this is something we might see in the coming years. It is important to keep up, especially with developments such as AI.

It should be noted that new technologies introduce new security risks. These risks need to be identified as soon as possible. New technologies are used not only by you, but also by malicious actors, so if you fall behind, you increase the risk of security events in the future.