November 30 2021 | 4 min read
Executive, Technical | November 30 2021 | 4 min read
Static Application Security Testing (SAST) tools have been the foundation of application security programs for 2 decades, along with security code reviews and penetration tests. But any AppSec practitioner will tell you that after 20 years, SAST still generates 40-80% false positives. Marginal improvements are no longer good enough. It’s time for a complete re-think of what SAST must become in order to remain an essential tool that helps organizations reduce risk while accelerating software delivery.
Static application security testing (SAST) is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.
Unlike other types of security scans, such as dynamic testing, SAST tools look at a snapshot of code in order to identify “vulnerabilities”. The most glaring problem with current SAST technology is that it is missing the context needed to fundamentally understand risk. This is why existing tools generate between 80% false positives with default configurations and 40% with constant fine tuning.
Legacy SAST tools are overwhelming for the AppSec engineer. As waterfall methodologies have shifted to agile, on-premises servers have moved to the cloud, and manual handoffs between Development and Operations teams have turned into “DevOps”, SAST hasn’t been able to keep up, constrained by its inherent inability to have a more in-depth and contextual knowledge of the code.
There is little differentiation between traditional SAST scanners. They all scan code, identify potential vulnerabilities like SQL injection or buffer overflows on a snapshot of code, and spit out a series of alerts that overwhelmed and overworked AppSec engineers have to manually investigate. Vendors have only made marginal improvements to reduce false positive rates and they will continue to spin their wheels without embracing a fundamentally new approach.
Code risk is multidimensional and it is no longer enough for a scanning tool to identify unknown vulnerabilities without context. SAST needs to become less “static” and evolve to examine new data sources and more intelligently analyze risk instead of producing endless streams of unhelpful vulnerability alerts, many of them false positives.
Ask yourself this question: is it better to mitigate a vulnerability categorized as “High Risk” on an internal application with low business impact that’s protected by multiple layers of security or a vulnerability categorized as “Medium Risk” that’s on your attack surface? The only correct answer is: it depends. To make an informed decision, you’d need to understand the relevant data, the business impact of a breach, the details of the existing security controls, and more. Now ask yourself which vulnerability is remediated first in most organizations.
Static analysis needs to do four essential things in order to solve modern risks:
These four fundamental enhancements combine to provide contextual insights that make findings more risk-based and actionable.
Apiiro looks at application security testing using a new lens. Instead of providing vulnerability alerts, Apiiro focuses on risk, which is multidimensional. This is accomplished by understanding code, but going beyond to incorporate new sources of data that can provide AppSec practitioners with deep visibility into their applications – even allowing them to understand the applications better than their developers. On top of that, Apiiro automatically identifies critical risks that could impact the business across the SDLC, from design to code to cloud.
Apiiro automatically and continuously maps the attack surface of the application with asset discovery, followed by capabilities in a number of areas that are blind spots for existing SAST solutions: