Static analysis

What is it?

A static analysis tool, referred to as a Static Application Security Tool (SAST) in the context of security, identifies potential security flaws in source code, byte code, and binaries. SAST tools provide a powerful way to identify potential defects by analyzing applications from the “inside out”. This provides much greater sight into possible flaws than a scanner that only interacts with a application as a user would.

Why is it needed?

• Sometimes the easiest or most obvious way to do something is also not secure. These tools provide fast feedback if a mistake is made.
• Continuous, fast feedback about potential vulnerabilities saves teams time and stress.

When should I use this?

• In your CI pipeline. Automatically run the scanner periodically, possibly alongside other automated tests following a checkin if it can complete quickly enough.
• During manual testing. More in-depth scans can be run and verified along with the other necessary manual tests. Testers can also start to do some exploratory security testing after familiarizing themselves with typical weaknesses.

Tools

• Agnostic static analysis
• Static analysis for Java
• Static analysis for Javascript
• Static analysis for Python
• Static analysis for Ruby

Further reading

• Wikipedia page on static program analysis
• Wikipedia list of static program analyzers
• OWASP wiki page on static program analysis
• NIST list of security-focused static program analyzers