Static application security testing

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed[clarification needed], the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

Unlike dynamic application security testing (DAST) tools for black-box testing of application functionality, SAST tools focus on the code content of the application, white-box testing. A SAST tool scans the source code of applications and its components to identify potential security vulnerabilities in their software and architecture. Static analysis tools can detect an estimated 50% of existing security vulnerabilities.[1]

In the software development life cycle (SDLC), SAST is performed early in the development process and at code level, and also when all pieces of code and components are put together in a consistent testing environment. SAST is also used for software quality assurance,[2] even if the many resulting false-positive impede its adoption by developers[3]

SAST tools are integrated into the development process to help development teams as they are primarily focusing on developing and delivering software respecting requested specifications.[4] SAST tools, like other security tools, focus on reducing the risk of downtime of applications or that private information stored in applications will not be compromised.

For the year of 2018, the Privacy Rights Clearinghouse database[5] shows that more than 612 million records have been compromised by hacking.

Overview

Application security tests of applications their release: static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST), a combination of the two.[6]

Static analysis tools examine the text of a program syntactically. They look for a fixed set of patterns or rules in the source code. Theoretically, they can also examine a compiled form of the software. This technique relies on instrumentation of the code to do the mapping between compiled components and source code components to identify issues. Static analysis can be done manually as a code review or auditing of the code for different purposes, including security, but it is time-consuming.[7]

The precision of SAST tool is determined by its scope of analysis and the specific techniques used to identify vulnerabilities. Different levels of analysis include:

The scope of the analysis determines its accuracy and capacity to detect vulnerabilities using contextual information.[8] SAST tools unlike DAST gives the developers real-time feedback, and help them secure flaws before they the code to the next level.

At a function level, a common technique is the construction of an Abstract syntax tree to control the flow of data within the function.[9]

Since late 90s, the need to adapt to business challenges has transformed software development with componentization[10] enforced by processes and organization of development teams.[11] Following the flow of data between all the components of an application or group of applications allows validation of required calls to dedicated procedures for sanitization and that proper actions are taken to taint data in specific pieces of code.[12][13]

The rise of web applications entailed testing them: Verizon Data Breach reports in 2016 that 40% of all data breaches use web application vulnerabilities.[14] As well as external security validations, there is a rise in focus on internal threats. The Clearswift Insider Threat Index (CITI) has reported that 92% of their respondents in a 2015 survey said they had experienced IT or security incidents in the previous 12 months and that 74% of these breaches were originated by insiders.[15][16] Lee Hadlington categorized internal threats in 3 categories: malicious, accidental, and unintentional. Mobile applications' explosive growth implies securing applications earlier in the development process to reduce malicious code development.[17]

SAST strengths

The earlier a vulnerability is fixed in the SDLC, the cheaper it is to fix. Costs to fix in development are 10 times lower than in testing, and 100 times lower than in production.[18] SAST tools run automatically, either at the code level or application-level and do not require interaction. When integrated into a CI/CD context, SAST tools can be used to automatically stop the integration process if critical vulnerabilities are identified.[19]

Because the tool scans the entire source-code, it can cover 100% of it, while dynamic application security testing covers its execution possibly missing part of the application,[6] or unsecured configuration in configuration files.

SAST tools can offer extended functionalities such as quality and architectural testing. There is a direct correlation between the quality and the security. Bad quality software is also poorly secured software. [20]

SAST weaknesses

Even though developers are positive about the usage of SAST tools, there are different challenges to the adoption of SAST tools by developers.[4] The usability of the output generated by these tools may challenge how much developers can make use of these tools. Research shows that despite the long out generated by these tools, they may lack usability.[21]

With Agile Processes in software development, early integration of SAST generates many bugs, as developers using this framework focus first on features and delivery.[22]

Scanning many lines of code with SAST tools may result in hundreds or thousands of vulnerability warnings for a single application. It can generate many false-positives, increasing investigation time and reducing trust in such tools. This is particularly the case when the context of the vulnerability cannot be caught by the tool.[3]

See also

References

  1. ^ Okun, V.; Guthrie, W. F.; Gaucher, H.; Black, P. E. (October 2007). "Effect of static analysis tools on software security: preliminary investigation" (PDF). Proceedings of the 2007 ACM Workshop on Quality of Protection. ACM: 1–5. doi:10.1145/1314257.1314260. S2CID 6663970.
  2. ^ Ayewah, N.; Hovemeyer, D.; Morgenthaler, J.D.; Penix, J.; Pugh, W. (September 2008). "Using static analysis to find bugs". IEEE Software. 25 (5). IEEE: 22–29. doi:10.1109/MS.2008.130. S2CID 20646690.
  3. ^ a b Johnson, Brittany; Song, Yooki; Murphy-Hill, Emerson; Bowdidge, Robert (May 2013). "Why don't software developers use static analysis tools to find bug". ICSE '13 Proceedings of the 2013 International Conference on Software Engineering: 672–681. ISBN 978-1-4673-3076-3.
  4. ^ a b Oyetoyan, Tosin Daniel; Milosheska, Bisera; Grini, Mari (May 2018). "Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital". International Conference on Agile Software Development. Springer: 86–103.
  5. ^ "Data Breaches | Privacy Rights Clearinghouse". privacyrights.org.
  6. ^ a b Parizi, R. M.; Qian, K.; Shahriar, H.; Wu, F.; Tao, L. (July 2018). "Benchmark Requirements for Assessing Software Security Vulnerability Testing Tools". 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC). IEEE. pp. 825–826. doi:10.1109/COMPSAC.2018.00139. ISBN 978-1-5386-2666-5. S2CID 52055661.
  7. ^ Chess, B.; McGraw, G. (December 2004). "Static analysis for security". IEEE Security & Privacy. 2 (6). IEEE: 76–79. doi:10.1109/MSP.2004.111.
  8. ^ Chess, B.; McGraw, G. (October 2004). "Risk Analysis in Software Design". IEEE Security & Privacy. 2 (4). IEEE: 76–84. doi:10.1109/MSP.2004.55.
  9. ^ Yamaguchi, Fabian; Lottmann, Markus; Rieck, Konrad (December 2012). "Generalized vulnerability extrapolation using abstract syntax trees". Proceedings of the 28th Annual Computer Security Applications Conference. Vol. 2. IEEE. pp. 359–368. doi:10.1145/2420950.2421003. ISBN 9781450313124. S2CID 8970125.
  10. ^ Booch, Grady; Kozaczynski, Wojtek (September 1998). "Component-Based Software Engineering". IEEE Software. 15 (5): 34–36. doi:10.1109/MS.1998.714621. S2CID 33646593.
  11. ^ Mezo, Peter; Jain, Radhika (December 2006). "Agile Software Development: Adaptive Systems Principles and Best Practices". Information Systems Management. 23 (3): 19–30. doi:10.1201/1078.10580530/46108.23.3.20060601/93704.3. S2CID 5087532.
  12. ^ Livshits, V.B.; Lam, M.S. (May 2006). "Finding Security Vulnerabilities in Java Applications with Static Analysis". USENIX Security Symposium. 14: 18.
  13. ^ Jovanovic, N.; Kruegel, C.; Kirda, E. (May 2006). "Pixy: A static analysis tool for detecting Web application vulnerabilities". 2006 IEEE Symposium on Security and Privacy (S&P'06). IEEE. pp. 359–368. doi:10.1109/SP.2006.29. ISBN 0-7695-2574-1. S2CID 1042585.
  14. ^ "2016 Data Breach Investigations Report" (PDF). Verizon. 2016. Retrieved 8 January 2016.
  15. ^ "Clearswift report: 40 percent of firms expect a data breach in the Next Year". Endeavor Business Media. 20 November 2015. Retrieved 8 January 2024.
  16. ^ "The Ticking Time Bomb: 40% of Firms Expect an Insider Data Breach in the Next 12 Months". Fortra. 18 November 2015. Retrieved 8 January 2024.
  17. ^ Xianyong, Meng; Qian, Kai; Lo, Dan; Bhattacharya, Prabir; Wu, Fan (June 2018). "Secure Mobile Software Development with Vulnerability Detectors in Static Code Analysis". 2018 International Symposium on Networks, Computers and Communications (ISNCC). pp. 1–4. doi:10.1109/ISNCC.2018.8531071. ISBN 978-1-5386-3779-1. S2CID 53288239.
  18. ^ Hossain, Shahadat (October 2018). "Rework and Reuse Effects in Software Economy". Global Journal of Computer Science and Technology. 18 (C4): 35–50.
  19. ^ Okun, V.; Guthrie, W. F.; Gaucher, H.; Black, P. E. (October 2007). "Effect of static analysis tools on software security: preliminary investigation" (PDF). Proceedings of the 2007 ACM Workshop on Quality of Protection. ACM: 1–5. doi:10.1145/1314257.1314260. S2CID 6663970.
  20. ^ Siavvas, M.; Tsoukalas, D.; Janković, M.; Kehagias, D.; Chatzigeorgiou, A.; Tzovaras, D.; Aničić, N.; Gelenbe, E. (August 2019). "An Empirical Evaluation of the Relationship between Technical Debt and Software Security". In Konjović, Z.; Zdravković, M.; Trajanović, M. (eds.). International Conference on Information Society and Technology 2019 Proceedings (Data set). Vol. 1. pp. 199–203. doi:10.5281/zenodo.3374712.
  21. ^ Tahaei, Mohammad; Vaniea, Kami; Beznosov, Konstantin (Kosta); Wolters, Maria K (6 May 2021). Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them. pp. 1–17. doi:10.1145/3411764.3445616. ISBN 9781450380966. S2CID 233987670.
  22. ^ Arreaza, Gustavo Jose Nieves (June 2019). "Methodology for Developing Secure Apps in the Clouds. (MDSAC) for IEEECS Confererences". 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). IEEE. pp. 102–106. doi:10.1109/CSCloud/EdgeCom.2019.00-11. ISBN 978-1-7281-1661-7. S2CID 203655645.

Read other articles:

Казнь слонами

Слон расчленяет осуждённого на Цейлоне. Рисунок Роберта Нокса (1681 год) Казнь слонами (перс. زير پي ِپيل افكندن‎) — метод умерщвления приговорённых к смертной казни, распространённый на протяжении тысяч лет в странах Южной и Юго-Восточной Азии и особенно в Индии. Азиат

 

Zelda Fitzgerald

Zelda FitzgeraldZelda Sayre, 1917LahirZelda Sayre(1900-07-24)24 Juli 1900Montgomery, Alabama, U.S.Meninggal10 Maret 1948(1948-03-10) (umur 47)Asheville, North Carolina, U.S.MakamSt. Mary's Catholic Cemetery, Rockville, Maryland, U.S.PekerjaanNovelis, penari, pelukis, sosialitaPendidikanSidney Lanier High SchoolPeriode1920–1948PasanganF. Scott Fitzgerald ​ ​(m. 1920; meninggal 1940)​AnakFrances Scott Fitzgerald Zelda Sayre Fitzgerald 24 Ju...

 

San Carlos, San Diego

For the Northern California city with this name, see San Carlos, California. This article uses bare URLs, which are uninformative and vulnerable to link rot. Please consider converting them to full citations to ensure the article remains verifiable and maintains a consistent citation style. Several templates and tools are available to assist in formatting, such as reFill (documentation) and Citation bot (documentation). (August 2022) (Learn how and when to remove this template message) Commun...

Phùng Chí Kiên

Đối với các định nghĩa khác, xem Phùng Chí Kiên (định hướng). Phùng Chí KiênChân dung Tướng quân Phùng Chí Kiên (1901-1941)Chức vụỦy viên Thường vụ Ban Chấp hành Trung ương Đảng Cộng sản Việt Nam khoá I–Phụ trách công tác quân sự của ĐảngNhiệm kỳtháng 9 năm 1937 – tháng 8 năm 1941 Chỉ huy trưởng Trung đội Cứu quốc quân thứ nhấtNhiệm kỳtháng 5 năm 1941 – t...

 

Swamening

artikel ini perlu dirapikan agar memenuhi standar Wikipedia. Tidak ada alasan yang diberikan. Silakan kembangkan artikel ini semampu Anda. Merapikan artikel dapat dilakukan dengan wikifikasi atau membagi artikel ke paragraf-paragraf. Jika sudah dirapikan, silakan hapus templat ini. (Pelajari cara dan kapan saatnya untuk menghapus pesan templat ini) Artikel ini tidak memiliki referensi atau sumber tepercaya sehingga isinya tidak bisa dipastikan. Tolong bantu perbaiki artikel ini dengan menamba...

 

بوابة:اليمن

بلقيس أو ماكيدا كما ورد في نصوص حبشيّة كانت ملكة مملكة سبأ الوارد ذكرها في الكتاب المقدس والقرآن. وفدت الملكة غير المُسمَّاة في النصوص الدينية على الملك سليمان، تشير جميع الأبحاث الآثارية إلى أن موقع سبأ كان في اليمن وعاصمتها كانت مأرب، وكانت أقوى ممالك اليمن القديم، ولكن ل

Brunca Sign Language

Deaf sign language of Costa Rica Brunca Sign LanguageNative toCosta RicaEthnicityBorucaNative speakersUnknown (2021)[1]Language familyvillage signLanguage codesISO 639-3rnbLinguist List1kvGlottologbrun1247ELPBrunca Sign Language Brunca Sign Language is a village sign language of an indigenous Brunca community in southern Costa Rica. It is unrelated to Costa Rican Sign Language. References ^ Brunca Sign Language at Ethnologue (25th ed., 2022) vteSign language List of sign lan...

 

Potassium silicate

Potassium silicate Names Preferred IUPAC name Potassium metasilicate Other names Liquid glass Waterglass Identifiers CAS Number 1312-76-1 Y 3D model (JSmol) Interactive image ChemSpider 59585 Y ECHA InfoCard 100.029.989 EC Number 233-001-1 E number E560 (acidity regulators, ...) PubChem CID 66200 UNII J86L1GUL6K Y CompTox Dashboard (EPA) DTXSID20893092 InChI InChI=1S/2K.O3Si/c;;1-4(2)3/q2*+1;-2 YKey: NNHHDJVEYQHLHG-UHFFFAOYSA-N YInChI=1/2K.O3Si/c;;1-4(2)3/q2*+1;-...

 

KRVU-LD

Television station in California, United StatesKRVU-LDRedding, CaliforniaUnited StatesChannelsDigital: 21 (UHF)Virtual: 21BrandingNorthern California's MyTVProgrammingAffiliations21.1: MyNetworkTV38.2: Comet (KCVU-DT2)46.1: Univision (KUCO-LD)OwnershipOwnerSinclair Broadcast Group(Sinclair-California Licensee, LLC)Sister stationsKRCR-TV, KCVU, KUCO-LD, KKTF-LD, KXVU-LDHistoryFirst air dateOctober 2, 1993 (30 years ago) (1993-10-02)Former call signsK22EJ (1993–1997)KRVU-LP (199...

Femina Miss India 2017

Femina Miss India 2017Miss India 2017 and Miss World 2017- Manushi ChhillarDate25 June 2017PresentersKaran Johar Riteish DeshmukhVenueYash Raj Film StudioEntrants30Placements15WinnerManushi ChhillarHaryanaCongenialityRinky ChakmaTripuraPhotogenicManushi ChhillarHaryana← 20162018 → Femina Miss India 2017 was the 54th edition of the Femina Miss India beauty pageant held on 25 June 2017 at Yash Raj Films, Mumbai. Priyadarshini Chatterjee of Delhi crowned Manushi Chhillar of...

 

DVB-S2

Digital satellite television standard This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (January 2018) (Learn how and when to remove this template message) List of digital television broadcast standards DVB standards (countries) DVB-T (terrestrial) DVB-T2 DVB-S (satellite) DVB-S2 DVB-S2X DVB-C (cable) DVB-C2 DVB-H (handheld) DVB-NGH DVB-T2-Lite DVB-SH (satellite...

 

GE Capital

GE CapitalJenisDivisiIndustriJasa keuangan, leasing pesawat, real estateKantorpusatNorwalk, Connecticut, Amerika SerikatWilayah operasiSeluruh duniaTokohkunciKeith S. Sherin, Chairman and CEOPendapatanUS$ 44 milyar (2013)Laba bersihUS$ 8.3 milyar (2013)Total asetUS$ 514 milyar (2013)Karyawan35.000 (2014)IndukGeneral ElectricDivisiGE Real EstateGE Capital Aviation ServicesGE Energy Financial ServicesGE Commercial Lending & LeasingSitus webwww.gecapital.com GE Capital adalah bisnis jasa keu...

377th Rifle Division

377th Rifle Division (August 1941 – 1945)Prewar photo of Maj. Gen. N. P. KovalchukActive1941 - 1945Country Soviet UnionBranch Red ArmyTypeDivisionRoleInfantryEngagementsBattle of LeningradLyuban Offensive OperationLeningrad–Novgorod OffensiveBattle of NarvaPskov-Ostrov OffensiveBaltic OffensiveRiga OffensiveCourland PocketDecorations Order of the Red BannerBattle honoursValgaCommandersNotablecommandersCol. Kantemir TsalikovMaj. Gen. Nikolai Prokopevich KovalchukCol. Semyon ...

 

زلزال بحر إيجة 2017

زلزال بحر إيجة 2017 معلومات التاريخ 21 يوليو 2017  البلد تركيا اليونان  إحداثيات 36°56′56″N 27°27′29″E / 36.949°N 27.458°E / 36.949; 27.458  القوة 6.6 (مقياس درجة العزم)  تعديل مصدري - تعديل   زلزال بحر إيجة هو زلزال بلغت قوته 6.7 على مقياس ريختر، وقع في 21 يوليو 2017 على بعد حوالي 1...

 

1985 Brecon and Radnor by-election

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: 1985 Brecon and Radnor by-election – news · newspapers · books · scholar · JSTOR (June 2022) (Learn how and when to remove this template message) 1985 Brecon and Radnor by-election ← 1983 4 Jul 1985 1987 → Constituency of Brecon and Radnor...

Elaine Hammerstein

Elaine HammersteinHammerstein, 1921Lahir(1897-06-16)16 Juni 1897Philadelphia, Pennsylvania, A.S.Meninggal13 Agustus 1948(1948-08-13) (umur 51)Tijuana, MexicoTahun aktif1913–1926Suami/istriJames Walter Kays ​(m. 1926)​[1][2]Orang tuaArthur HammersteinJean Allison HammersteinDorothy Dalton (ibu tiri)KerabatOscar Hammerstein I (kakek)William Hammerstein (paman)Oscar Hammerstein II (sepupu) Elaine Hammerstein (16 Juni 1897 – ...

 

To Live and Die in L.A. (soundtrack)

To Live and Die in L.A.Studio album / soundtrack by Wang ChungReleased30 September 1985 (1985-09-30)Recorded1985Length38:37LabelGeffenProducer John Kalodner David Massey Wang Chung chronology Points on the Curve(1983) To Live and Die in L.A.(1985) Mosaic(1986) Singles from To Live and Die in L.A. To Live and Die in L.A.Released: 25 September 1985 Wake Up, Stop DreamingReleased: December 1985 To Live and Die in L.A. is the third studio album by the English new wave band ...

 

Clear as Day

2011 studio album by Scotty McCreeryClear as DayStudio album by Scotty McCreeryReleasedOctober 4, 2011 (2011-10-04)RecordedMay - July 2011GenreCountryLength40:49LabelMercury Nashville19ProducerMark BrightScotty McCreery chronology Clear as Day(2011) Christmas with Scotty McCreery(2012) Singles from Clear as Day I Love You This BigReleased: May 25, 2011 The Trouble with GirlsReleased: August 30, 2011 Water Tower TownReleased: April 9, 2012 Clear as Day is the debut studi...

Terry Crews

American actor and football player (born 1968) Terry CrewsCrews in 2017BornTerry Alan Crews (1968-07-30) July 30, 1968 (age 55)Flint, Michigan, U.S.OccupationsActortelevision hostfootball playerYears active 1991–1997 (football) 1999–present (acting) Spouse Rebecca King ​(m. 1989)​Children5American football player American football careerNo. 51, 90, 94Position:Defensive end / LinebackerPersonal informationHeight:6 ft 2 in (1.88 m)Weight...

 

Getta unicolor

Species of moth Getta unicolor Scientific classification Domain: Eukaryota Kingdom: Animalia Phylum: Arthropoda Class: Insecta Order: Lepidoptera Superfamily: Noctuoidea Family: Notodontidae Genus: Getta Species: G. unicolor Binomial name Getta unicolor(Hering, 1925) Synonyms Polyptychia unicolor Hering, 1925 Getta unicolor is a moth of the family Notodontidae. It is found in South America, including Peru, Ecuador, Colombia, Venezuela and Guyana. External links Species page at Tree of Li...

 

Strategi Solo vs Squad di Free Fire: Cara Menang Mudah!