Static application security testing: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 17:33, 7 February 2021 edit 77.21.101.82 (talk) Fix typo: iz -> is Tag: Visual edit ← Previous edit		Latest revision as of 20:21, 15 August 2025 edit undo Another Digital Nomad (talk \| contribs) 10 edits m Minor writing enhancements and linking Tag: Visual edit
(30 intermediate revisions by 22 users not shown)
Line 1: {{Short description\|Software securing application}} '''Static application security testing''' ('''SAST''') is used to secure [[software]] by reviewing ~~the~~its [[source code ~~of the software~~]] to identify ~~sources of~~security vulnerabilities. Although the process of [[~~Static~~Informal ~~program~~methods ~~analysis~~of validation and verification#Desk checking\|~~statically~~checking ~~analyzing~~programs ~~the~~by ~~source~~reading their code]] (modernly known as [[Static program analysis\|static program analysis]]) has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of [[SQL injection]] in 1998 when [[Web application\|web applications]] integrated new technologies like [[JavaScript]] and [[Adobe Flash Player\|Flash]]. Unlike [[dynamic application security testing]] (DAST) tools for [[black-box testing]] of application functionality, SAST tools focus on the code content of the application, [[white-box testing]]. A SAST tool scans the source code of applications and their components to identify potential security vulnerabilities in their software and architecture. Static analysis tools can detect an estimated 50% of existing security vulnerabilities in tested applications.<ref> {{Cite ~~journal~~book▼ ~~An SAST tool scans the source code of applications and its components to identify potential security vulnerabilities in their software and architecture.~~ ~~Static analysis tools can detect an estimated 50% of existing security vulnerabilities.<ref>~~ ▲{{Cite journal \|last1=Okun\|first1=V. \|last2=Guthrie\|first2=W. F. \|last3=Gaucher\|first3=H. \|last4=Black\|first4=P. E. \|~~journal~~title=Proceedings of the 2007 ACM ~~Workshop~~workshop on Quality of ~~Protection~~protection▼ \|~~title~~chapter= Effect of static analysis tools on software security: ~~preliminary~~Preliminary investigation▼ \|s2cid=6663970 \|date=October 2007 ~~\|title= Effect of static analysis tools on software security: preliminary investigation.~~ ▲\|journal=Proceedings of the 2007 ACM Workshop on Quality of Protection \|pages=1–5 \|publisher=ACM \|doi=10.1145/1314257.1314260 \|isbn=978-1-59593-885-5 \|chapter-url=https://samate.nist.gov/docs/SA_tool_effect_QoP.pdf }}</ref> In the [[~~Software~~software development ~~process\|SDLC~~life cycle]] (SDLC), SAST is performed early in the development process and at code level, and also when all pieces of code and components are put together in a consistent testing environment. SAST is also used for software quality assurance.,<ref> {{Cite journal \|last1=Ayewah\|first1=N. Line 35: \|publisher=IEEE \|doi=10.1109/MS.2008.130 }}</ref> even if the many resulting [[False positives and false negatives#False positive error\|false~~-positive~~ positives]] impede its adoption by developers.<ref name="ReferenceA">{{Cite ~~journal~~book \|last1=Johnson\|first1=Brittany \|last2=Song\|first2=Yooki \|last3=Murphy-Hill\|first3=Emerson \|last4=Bowdidge\|first4=Robert \|~~journal~~title=~~ICSE~~2013 ~~'13 Proceedings of the 2013~~35th International Conference on Software Engineering (ICSE)▼ \|~~title~~chapter= Why don't software developers use static analysis tools to find ~~bug~~bugs?▼ \|date=May 2013 ▲\|title= Why don't software developers use static analysis tools to find bug ▲\|journal=ICSE '13 Proceedings of the 2013 International Conference on Software Engineering \|pages=672–681 \|doi=10.1109/ICSE.2013.6606613 \|isbn=978-1-4673-3076-3 }}</ref> Line 57 ⟶ 58: \|pages=86–103 \|publisher=Springer }}</ref> SAST tools, like other security tools, focus on reducing the risk of downtime of applications or that private information stored in applications ~~will~~is not be compromised.▼ ~~}}</ref>~~ ▲SAST tools, like other security tools, focus on reducing the risk of downtime of applications or that private information stored in applications will not be compromised. For the year of 2018, the Privacy Rights Clearinghouse database<ref>{{Cite web\|url=https://privacyrights.org/data-breaches\|title=Data Breaches \| Privacy Rights Clearinghouse\|website=privacyrights.org}}</ref> shows that more than 612 ~~millions of~~million records in the [[United States]] have been compromised by hacking. ==Overview== Application security tests ofconducted ~~applications~~before their release: include static application security testing (SAST), [[dynamic application security testing]] (DAST), and [[interactive application security testing]] (IAST), which is a combination of the two.<ref name="auto1"> {{Cite ~~journal~~book \|last1=Parizi\|first1=R. M. \|last2=Qian\|first2=K. Line 71: \|last4=Wu\|first4=F. \|last5=Tao\|first5=L. \|~~journal~~title=2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)▼ \|~~title~~chapter= Benchmark Requirements for Assessing Software Security Vulnerability Testing Tools.▼ \|s2cid=52055661 \|date=July 2018 ▲\|title= Benchmark Requirements for Assessing Software Security Vulnerability Testing Tools. ▲\|journal=IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC) \|pages=825–826 \|publisher=IEEE Line 81: }}</ref> Static analysis tools examine the text of a program syntactically. They look for a fixed set of patterns or rules in the source code. Theoretically, they can also examine a compiled form of the software. This technique relies on [[instrumentation]] of the code to do the mapping between compiled components and source code components to identify issues. Static analysis can be done manually as a [[code review]] or [[Software audit review\|auditing]] of the code for different purposes, including security, but it is time-consuming.<ref> ~~Static analysis can be done manually as a [[code review]] or [[Software audit review\|auditing]] of the code for different purposes, including security, but it is time-consuming.<ref>~~ {{Cite journal \|last1=Chess\|first1=B. Line 96 ⟶ 95: }}</ref> The precision of SAST ~~tool~~tools is determined by ~~its~~their scope of analysis and the specific techniques used to identify vulnerabilities. Different levels of analysis include the following: * [[Subroutine\|~~function~~Function level]]: ~~- sequences~~Sequences of instruction. * [[Class (computer programming)\|~~file~~File or class- level]]: ~~- an~~An extensible program-code-template for object creation. * [[Application software\|~~application~~Application level]]: ~~- a~~A program or group of programs that interact. The scope of the analysis determines its accuracy and capacity to detect vulnerabilities using contextual information.<ref> {{Cite journal Line 112 ⟶ 111: \|publisher=IEEE \|doi=10.1109/MSP.2004.55 \|doi-access=free ~~}}</ref>~~ }}</ref> SAST tools, unlike [[Dynamic application security testing\|DAST]] tools, give developers real-time feedback, and help them secure flaws before they move the code to the next level. At a function level, a common technique is the construction of an [[Abstract syntax tree]] to control the flow of data within the function.<ref> {{Cite ~~journal~~book \|last1=Yamaguchi\|first1=Fabian \|last2=Lottmann\|first2=Markus \|last3=Rieck\|first3=Konrad \|~~journal~~title=Proceedings of the 28th Annual Computer Security Applications Conference ▼ \|~~title~~chapter=Generalized vulnerability extrapolation using abstract syntax trees ▼ \|s2cid=8970125 \|date=December 2012 ▲\|title=Generalized vulnerability extrapolation using abstract syntax trees ▲\|journal=Proceedings of the 28th Annual Computer Security Applications Conference \|volume=2 \|issue=4 Line 128: \|publisher=IEEE \|doi=10.1145/2420950.2421003 \|isbn=9781450313124 }}</ref> Since the late 90s, the need to adapt to business challenges has transformed software development with componentization.<ref> {{Cite journal \|last1=Booch \|first1=Grady Line 137 ⟶ 138: \|date=September 1998 \|title=Component-Based Software Engineering \|journal=2006 IEEE Symposium on Security and Privacy (S&P'06)▼ \|pages=34–36 \|volume=15 \|issue=5 \|~~publisher~~journal=IEEE Software \|doi=10.1109/MS.1998.714621 }}</ref> enforced by processes and organization of development teams.<ref> {{Cite journal \|last1=Mezo \|first1=Peter Line 150: \|date=December 2006 \|title=Agile Software Development: Adaptive Systems Principles and Best Practices ~~\|journal=2006 IEEE Symposium on Security and Privacy (S&P'06)~~ \|pages=19–30 \|volume=23 \|issue=3 \|~~publisher~~journal=Information Systems Management \|doi=10.1201/1078.10580530/46108.23.3.20060601/93704.3 }}</ref> Following the flow of data between all the components of an application or group of applications allows validation of required calls to dedicated procedures for [[Code injection#Preventing problems\|sanitization]] and that proper actions are taken to taint data in specific pieces of code.<ref>▼ ~~}}</ref>~~ ▲Following the flow of data between all the components of an application or group of applications allows validation of required calls to dedicated procedures for [[Code injection#Preventing problems\|sanitization]] and that proper actions are taken to taint data in specific pieces of code.<ref> {{Cite journal \|last1=Livshits\|first1=V.B. Line 167 ⟶ 165: \| volume=14 }}</ref><ref> {{Cite ~~journal~~book \|last1=Jovanovic \|first1=N. \|last2=Kruegel \|first2=C. \|last3=Kirda\|first3=E. ▲\|~~journal~~title=2006 IEEE Symposium on Security and Privacy (S&P'06) \|~~title~~chapter=Pixy: aA static analysis tool for detecting Web application vulnerabilities ▼ \|s2cid=1042585 \|date=May 2006 ▲\|title=Pixy: a static analysis tool for detecting Web application vulnerabilities ~~\|journal=2006 IEEE Symposium on Security and Privacy (S&P'06)~~ \|pages=359–368 \|publisher=IEEE Line 181 ⟶ 179: }}</ref> The rise of web applications entailed testing them: Verizon Data Breach reported in 2016 that 40% of all data breaches use web application vulnerabilities.<ref name=DBI_1>{{cite web\| title=2016 Data Breach Investigations Report\| url=https://www.verizon.com/business/resources/Ta80/reports/DBIR_2016_Report.pdf\| publisher=[[Verizon]]\| date=2016\| access-date=8 January 2016}}</ref> Both external security validations and a focus on internal threats have risen. The Clearswift Insider Threat Index (CITI) has reported that 92% of their respondents in a 2015 survey said they had experienced IT or security incidents in the previous 12 months and that 74% of these breaches were originated by insiders.<ref name=CITI_2>{{cite web\| title=Clearswift report: 40 percent of firms expect a data breach in the Next Year\| url=https://www.securityinfowatch.com/cybersecurity/information-security/press-release/12141612/clearview-clearswift-report-40-percent-of-firms-expect-a-data-breach-in-the-next-year\| publisher=Endeavor Business Media\| date=20 November 2015\| access-date=8 January 2024}}</ref><ref name=CITI_1>{{cite web\| title=The Ticking Time Bomb: 40% of Firms Expect an Insider Data Breach in the Next 12 Months\| url=https://www.clearswift.com/resources/press-releases/ticking-time-bomb-40-firms-expect-insider-data-breach-next-12-months\| publisher=Fortra\| date=18 November 2015\| access-date=8 January 2024}}</ref> Lee Hadlington categorized internal threats in 3 categories: malicious, accidental, and unintentional. Mobile applications' explosive growth implies securing applications earlier in the development process to reduce malicious code development.<ref> The rise of web applications entailed testing them: Verizon Data Breach reports in 2016 that 40% of all data breaches use web application vulnerabilities.<ref>{{cite web \|url= https://enterprise.verizon.com/resources/reports/2016/DBIR_2016_Report.pdf \|title= 2016 Data Breach Investigations Report \|date = 2016}}</ref> {{Cite ~~journal~~book▼ As well as external security validations, there is a rise in focus on internal threats. The Clearswift Insider Threat Index (CITI) has reported that 92% of their respondents in a 2015 survey said they had experienced IT or security incidents in the previous 12 months and that 74% of these breaches were originated by insiders.<ref>{{cite web \|url= http://pages.clearswift.com/rs/591-QHZ-135/images/Clearswift_Insider_Threat_Index_2015_US.pdf \|title= Clearswift Insider Threat Index (CITI) \|date=2015}}</ref> Lee Hadlington categorized internal threats in 3 categories: malicious, accidental, and unintentional. Mobile applications' explosive growth implies securing applications earlier in the development process to reduce malicious code development.<ref> ▲{{Cite journal \|last1=Xianyong\|first1=Meng \|last2=Qian\|first2= Kai Line 189 ⟶ 186: \|last4=Bhattacharya\|first4= Prabir \|last5=Wu\|first5=Fan \|~~journal~~title=2018 International Symposium on Networks, Computers and Communications (ISNCC)▼ \|~~title~~chapter= Secure Mobile Software Development with Vulnerability Detectors in Static Code Analysis▼ \|s2cid=53288239 \|date=June 2018 ▲\|title= Secure Mobile Software Development with Vulnerability Detectors in Static Code Analysis ▲\|journal=2018 International Symposium on Networks, Computers and Communications (ISNCC) \|pages=1–4 \|doi=10.1109/ISNCC.2018.8531071 Line 205 ⟶ 202: \|title= Rework and Reuse Effects in Software Economy \|journal=Global Journal of Computer Science and Technology \|volume=18 \|issue=C4 \|pages=35–50 \|url=https://computerresearch.org/index.php/computer/article/view/1780 }}</ref> SAST tools run automatically, either at the code level or application-level and do not require interaction. When integrated into a [[CI/CD]] context, SAST tools can be used to automatically stop the integration process if critical vulnerabilities are identified.<ref>▼ ~~}}</ref>~~ {{Cite ~~journal~~book▼ ▲SAST tools run automatically, either at the code level or application-level and do not require interaction. When integrated into a CI/CD context, SAST tools can be used to automatically stop the integration process if critical vulnerabilities are identified.<ref> ▲{{Cite journal \|last1=Okun\|first1=V. \|last2=Guthrie\|first2=W. F. \|last3=Gaucher\|first3=H. \|last4=Black\|first4=P. E. \|~~journal~~title=Proceedings of the 2007 ACM ~~Workshop~~workshop on Quality of ~~Protection~~protection▼ ▲\|~~title~~chapter= Effect of static analysis tools on software security: ~~preliminary~~Preliminary investigation. \|s2cid=6663970 \|date=October 2007 ▲\|title= Effect of static analysis tools on software security: preliminary investigation ▲\|journal=Proceedings of the 2007 ACM Workshop on Quality of Protection \|pages=1–5 \|publisher=ACM \|doi=10.1145/1314257.1314260 \|isbn=978-1-59593-885-5 \|chapter-url=https://samate.nist.gov/docs/SA_tool_effect_QoP.pdf }}</ref> ~~Because~~Another ~~the~~advantage ~~tool~~over ~~scans~~other ~~the~~types ~~entire~~of ~~source-code,~~testing itis ~~can~~that ~~cover~~SAST ~~100%~~tools ofscan itthe entire source code, while [[dynamic application security testing]] ~~covers~~tools cover its execution, possibly missing part of the application,<ref name="auto1"/> or unsecured configuration in configuration files. SAST tools can offer extended functionalities such as quality and architectural testing. There is a direct correlation between ~~the~~software quality and ~~the~~ security. Bad quality software is also poorly secured software.<ref> {{Cite ~~journal~~conference▼ ~~<ref>~~ ▲{{Cite journal \|last1=Siavvas\|first1=M. \|last2=Tsoukalas\|first2=D. Line 238 ⟶ 237: \|date=August 2019 \|title= An Empirical Evaluation of the Relationship between Technical Debt and Software Security \|editor=Konjović, Z. \|editor2=Zdravković, M. \|editor3=Trajanović, M. ~~\|chapter=Software security~~ \|~~journal~~book-title= ~~9th~~ International Conference on Information Society and Technology 2019 Proceedings \|volume=1 \|pages=199–203 \|doi=10.5281/zenodo.3374712 \|doi-access=free \|type=Data set }}</ref> ==SAST weaknesses== Even though developers are positive about the usage of SAST tools, there are different challenges to their adoption.<ref name="auto"/> As an example, research shows that despite the long output generated by these tools, they may lack usability.<ref>{{cite book \|last1=Tahaei \|first1=Mohammad \|last2=Vaniea \|first2=Kami \|last3=Beznosov \|first3=Konstantin (Kosta) \|last4=Wolters \|first4=Maria K \|title=Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems \|chapter=Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them \|date=6 May 2021 \|pages=1–17 \|doi=10.1145/3411764.3445616\|isbn=9781450380966 \|s2cid=233987670 \|url=https://www.research.ed.ac.uk/en/publications/e1bc04ef-ae83-4e82-8ade-ca572bc503d2 }}</ref> ~~Even though developers are positive about the usage of SAST tools, there are different challenges to the adoption of SAST tools by developers.<ref name="auto"/>~~ With [[Agile software development\|Agile Processes]] in software development, early integration of SAST generates many bugs, as developers using this framework focus first on features and delivery.<ref> {{Cite ~~journal~~book \|last=Arreaza\|first=Gustavo Jose Nieves \|~~journal~~title=2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)▼ \|~~title~~chapter= Methodology for Developing Secure Apps in the Clouds. (MDSAC) for IEEECS ~~Conferences~~Confererences▼ \|date=June 2019 ▲\|title= Methodology for Developing Secure Apps in the Clouds. (MDSAC) for IEEECS Conferences ▲\|journal=2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom) \|pages=102–106 \|publisher=IEEE \|doi=10.1109/CSCloud/EdgeCom.2019.00-11 \|isbn=978-1-7281-1661-7 \|s2cid=203655645 }}</ref> Scanning many lines of code with SAST tools may result in hundreds or thousands of vulnerability warnings for a single application. It ~~generates~~can generate many false- positives, increasing investigation time and reducing trust in such tools. This is particularly the case when the context of the vulnerability cannot be caught by the tool.<ref name="ReferenceA"/> == See also == * [[Security testing]] * [[Lint (software)]] * [[Dynamic application security testing]] * [[Interactive application security testing]] * [[~~Category:~~Static program analysis\| ]]▼ ==References== {{reflist}} [[Category:~~Program~~Security ~~analysis~~testing]]▼ ~~{{Improve categories\|date=July 2020}}~~ [[Category:Static program analysis]] ~~[[Category:Software]]~~ ~~[[Category:Computer security software]]~~ ▲[[Category:Static program analysis\| ]] ▲[[Category:Program analysis]] ~~[[Category:Software development process]]~~ ~~[[Category:Agile software development]]~~