What is SAST?
SAST stands for "Static Application Security Testing". It is a technique that is used to review the source code of software (known as the "codebase") in order to identify potential vulnerabilities. It is sometimes also called "Static Code Analysis", or "Static Program Analysis", though this is less common.
Where is SAST used?
SAST tooling requires access to the full source code and so is typically run as a local application: this can be directly on the server hosting the software; on developer machines that contain copies of the codebase being developed; or on CI/CD continuous integration hosts used to compile or build software releases from the source code. Since it requires full access to the source code, SAST is sometimes referred to as "white-box testing".
How effective is SAST?
Studies have shown that static analysis tools may find up to 50% of security vulnerabilities within an application. The advantage of SAST is that it has access to the full codebase, including "back-end" code that is executed on a server but not directly exposed via the front-end. The most frequent criticism with SAST is that because the code is analysed in an offline/static fashion (i.e. is not executed), it has to "guess" at whether code is vulnerable to a given vulnerability, and can generate a large number of "false positives".
How does SAST differ from SCA?
Software Component Analysis or Software Composition Analysis (SCA) is a specific sub-type of SAST tooling that is used to investigate the "supply chain" of a given software application in terms of understanding the (often third-party) libraries, modules and dependencies that an application may call upon. The use of standard "libraries" containing blocks of code that can quickly perform basic functions that are common to many applications (for example "write an entry to a database") is very common, but these libraries, as with any code, often contain vulnerabilities of their own. SCA tooling checks what libraries are included within an application or referenced by it, and checks them for known vulnerabilities.
Does AppCheck perform SAST or SCA?
AppCheck does not perform SAST (static analysis). AppCheck does perform a certain type of SCA, but not for all code. This is explained further below.
Why doesn't AppCheck perform SAST?
AppCheck does not perform SAST because it operates according to a very different set of techniques, collectively known as "DAST".
What is DAST?
DAST stands for "Dynamic Application Security Testing" and contrasts as an approach to SAST. DAST tooling is often referred to as "vulnerability scanning" and is performed in much the same way as a manual penetration test.
DAST tooling such as AppCheck operates as a network-based vulnerabilities scanner. That is to say that rather than testing static (non-running) code on a server, it interacts with "live" (running) versions of code that are actively in operation running a production instance of a website. It operates in a "request-response" mode, making network requests over HTTP and analysing the response for evidence of weakness.
What are the advantages of DAST?
The dynamic nature of DAST tooling such as AppCheck means that it is reflective of the type of interaction that a website user (or attacker) may perform. This allows AppCheck to test for the ability to exploit vulnerabilities as a remotely positioned attacker and in most cases to confirm that an exploit is real and exploitable, leading to less false positives in many cases than SAST tooling. It also better reflects "real world" risks and vulnerabilities.
The disadvantage of DAST tooling is that because it is "black box" - that is, having access only to the responses presented and returned by the targeted server across the network - it does not have native access to the entire codebase, and is reliant on being able to trigger the execution of all areas of the codebase by making sufficiently varied requests across the breadth of the targeted web application.
Should I use AppCheck instead of a SAST tool? Is DAST "better" than SAST?
We would always recommend that AppCheck as a DAST tool be used as a key part of a mature vulnerability management programme within an organisation, in which multiple tools are used to analyse components, applications and infrastructure for vulnerabilities from different perspectives. No one tool can ever be a truly universal panacea against all vulnerabilities, and operating multiple different tools or approaches permits the principle of "defense in depth", in which different tools can offer different strengths in different areas, to provide an overall more rounded and robust level of security assurance. DAST tooling such as AppCheck is often implemented alongside other SDLC (Software Development Lifecycle) measures including SAST source code analysis, security architecture reviews, peer code review, unit & integration testing, patch management, and threat and log monitoring.