Skip to content

What is it?

A test for security vulnerabilities that looks at the source code or binary of an application without running it.

Why is it important?

Static Application Security Testing (SAST) can be used before an application is executable, enabling early and regular tests for security vulnerabilities. SAST allows developers to fix problems during the development phase of an application and at a much lower cost than when the code is in quality assurance (QA) or production.

Why does a business professional need to know this?

Business professionals and developers need to understand the basics of SAST and its essential role in catching vulnerabilities early in the development process. This is especially critical for environments where there is limited time for final product testing.

SAST analyzes an application for security vulnerabilities without executing the code. SAST looks for insecure coding patterns in the source code, bytecode, or binary of the application. SAST can help identify the exact lines of code where an attack might occur. SAST can then recommend how to fix the vulnerability.

SAST examines all the possible ways a piece of software could run, including edge cases that rarely occur in practice. For example, this can show vulnerabilities whether the data is entered by a user, comes in through a database, or comes in from an application programming interface (API).

SAST is best used by integrating it into the build environment. This allows developers to detect vulnerabilities early, while the application is still under development, and it helps ensure that all of the application code is examined.

Recent extensions of SAST allow it to be part of an integrated development environment (IDE), where spellchecker-like testing can give immediate feedback as code is written.

References

About Lucas von Stockhausen

Photo of Lucas von Stockhausen

Lucas von Stockhausen has over 10 years’ experience in application security with a deep knowledge of static, dynamic, and interactive application security testing as well as runtime application self protection (RASP) technologies.

As product manager and senior application security strategist, he has a deep understanding of how companies implement these solutions, including processes such as the building security in maturity model (BSIMM) and the software assurance maturity model (OpenSAMM).

Term: Static Application Security Testing

Email: lvonstockhausen@microfocus.com

Website: fortify.com

What is it?

A formal method to identify, characterize, and prioritize risks and threats, typically with the goal of reducing them, also known as threat analysis or risk analysis.

Why is it important?

Most software is riddled with vulnerabilities, and software is pervasive in devices such as phones, cars, voting machines, etc. Threat modeling is one of the most effective ways to avoid and find vulnerabilities.

...continue reading "Term of the Week: Threat Modeling"

What is it?

A systematic investigation of network and system activities and events.

Why is it important?

Auditing evaluates the who, what, where, and when of events on a network, which helps managers identify critical events that may have an impact on their organization.

...continue reading "Term of the Week: Audit"

What is it?

A quantifiable measurement used to help organizations evaluate performance.

Why is it important?

Metrics provide a standard for measuring the performance of governance programs and controls established to protect an organization’s assets, interests, and resources.

...continue reading "Term of the Week: Metrics"

What is it?

A tool to capture and quantify information about the risks associated with a project or activity, including the potential impact, likelihood of occurrence, mitigation measures, responses, and response triggers.

Why is it important?

A risk register increases the chances of successful execution of a project or activity by helping managers identify and evaluate risks, assess their potential impact, and create contingency plans.

...continue reading "Term of the Week: Risk Register"

What is it?

Chief Information Security Officer. The most senior individual responsible for protecting an organization’s information assets.

Why is it important?

The CISO has overall responsibility for the information security program for an organization. The CISO works closely with executive management and business stakeholders to protect information assets.

...continue reading "Term of the Week: CISO"

What is it?

A comprehensive, step-by-step series of actions to be followed by an organization’s computer security incident response team (CSIRT) and business operations personnel following a verified cybersecurity incident to reduce the overall impact of the incident.

Why is it important?

When properly implemented, an incident response plan can help ensure an effective response to security incidents and help mitigate the effects of a potentially serious event. The presence of a well-rehearsed plan has proven to reduce the financial impact of security incidents.

...continue reading "Term of the Week: Incident Response Plan"

What is it?

A plan that allows an organization to remain operational at acceptable, predefined levels of operation despite disruptions resulting from human, technical, or natural causes.

Why is it important?

With more and more companies becoming heavily reliant on data to drive decisions, any loss of that data -- even short-term -- can bring business to a halt and have dire effects on the bottom line.

...continue reading "Term of the Week: Business Continuity Plan"

What is it?

A systematic process by which an organization gathers information about its essential business functions and processes and evaluates the potential impact to the organization if those functions and processes were interrupted or otherwise adversely affected. Also referred to as a business impact analysis.

Why is it important?

This term is important because it helps organizations prioritize the allocation of time and resources to prevent, manage, and recover from incidents that affect critical business operations and assets. A business impact assessment also provides information to help create an incident response plan and a business continuity plan.

...continue reading "Term of the Week: Business Impact Assessment (BIA)"

What is it?

A process for defining, identifying, classifying, and prioritizing potential weaknesses in an organization’s computer, network, and communications infrastructure, also known as vulnerability analysis or security assessment.

Why is it important?

When conducted correctly, results from a vulnerability assessment can be used to define or update an organization’s internal and external network as well as its information security policies.

...continue reading "Term of the Week: Vulnerability Assessment"