Static analysis is an important part of many successful application security programs. Static analysis (also known as SAST or static code analysis), is a type of automated security tool that relies on the scanning of application source code to locate vulnerabilities.
SAST tools have gotten a reputation for being slow, error-prone, and difficult to use. And out of the box, many of them are. But with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
Static analysis tools are actually easier to configure than dynamic analysis tools – and there’s a lot you can do to help you get greater value from your tool set.
5. Give Static Analysis Tools to Your Developers
One of the biggest benefits of static analysis is that it allows you to “shift-left,” meaning that you can discover vulnerabilities earlier in the software development lifecycle (SDLC). On average, it costs organizations 30 times more to fix vulnerabilities later in the SDLC than it would if they caught the issues earlier.
By providing your developers with static analysis tools, they can discover vulnerabilities earlier in the SDLC and remediate the vulnerabilities before the source code ever leaves their development machines.
Many popular static analysis tools have IDE plugins that will allow developers to run scans without ever needing to leave the IDE that they are using to write code. The tools will locate security weaknesses within the application, highlight the relevant source code and provide remediation guidance within the IDE.
Other static analysis tools have the capability to monitor the code as the developer is writing it and provide auto-complete style notifications of vulnerabilities as they are created.
4. Give SAST Tools More Insight: Include All of Your Dependencies
You can greatly improve the accuracy and quality of your static analysis scans by including the path to all of your application’s dependencies. In most commercial scanners, if the path to an application dependency cannot be found, a trace diagram of the program flow will not be available and the triaging process will be more time consuming.
By including the path to the dependencies, the scanner will have more insight into the application and can provide more information back to the security analyst to ease the burden of the triaging process.
3. Manage Static Analysis Triage More Efficiently
Every organization is different, and each organization will be concerned with different sets of vulnerabilities. And since it’s not uncommon for a static analysis scan to spit out 10-20k results, you must narrow your focus or you’ll end up spending days or even weeks triaging.
One common method is to focus on medium and high severity issues. Generally, medium and high severity issues have a higher confidence rating and are more likely to be true positives. The opposite can be said about lower severity issues. Many signatures have a low confidence rating and are meant to draw your attention to areas of code that need manual review.
Another strategy is to tackle certain categories of vulnerabilities first and then move on to other categories. For example, get a grasp on the injection vulnerabilities or categorize your findings by OWASP Top 10 and work on vulnerabilities that are in the top 5.
Regardless of what method you use, it’s important not to tackle too many issues at once. Static analysis is just like performing any other type of vulnerability management – you have to draw a line in the sand and worry about the issues on one side first, then continuously move the line as you work on more issues.
2. Have SAST Scans Reviewed by a “Secure Developer”
Let’s face it, most of these tools are run by security teams to achieve compliance. Most security analysts either have a networking background or went to school specifically to become a security analyst. Very few security analysts come from a development background. To make the situation even more difficult, security analysts with a development background are a hot commodity right now and it is difficult to hire someone with this skill set.
I am a big advocate of finding a developer in your organization that has interest in security and placing them on the security team. Regardless of how your organization discovers a “secure developer,” you’ll want someone with this type of skill set to review the results of static analysis. This will help ensure that you are addressing security relevant issues and not delivering false positives back to the development staff.
1. Automate. Automate. Automate!
Many static analysis tools come with a CLI or an API that can be used to automate tasks – you can queue scans, perform automatic scanning on code changes, and even upload scan results to a centralized server and send email notifications. For organizations that are using any sort of automation to build and move code from one environment to another, automated static analysis can be used as a security gate between environments, ensuring that vulnerabilities are not only discovered, but also remediated.
Optimized SAST Tools = Better Results, Better Code
Using these five tactics to optimize your Static Analysis tools give your organization several advantages. It increases your development team’s confidence in your security team and its policies, while giving developers’ a practical way to address security concerns without taking them outside their normal development cycle. Try them today.
Want to learn more about how to automate your application security activities? Check out these resources or contact us today.
- Blog Post: How to Optimize DAST — Part 1 and Part 2
- Blog Post: Secure DevOps with an AppSec Pipeline
- Aspect Security's Automation & Integration Services