Almost a 12 months in the past, I wrote an article titled “Find out how to choose the correct SAST software.” It was a take a look at the professionals and cons of two totally different generations of static utility safety testing (SAST):
- Conventional SAST (first era): Deep scans for one of the best protection, however creates large friction as a result of future occasions.
- Guidelines-based SAST (second era): Prioritized developer expertise by way of quicker, customizable guidelines, however protection was restricted to explicitly outlined guidelines.
At the moment, these two approaches had been actually the one choices. And to be trustworthy, neither possibility was all that nice. Principally, each generations had been created to alert for code weaknesses which have principally been solved in different methods (i.e., enhancements in compilers and frameworks eradicated entire courses of CWEs), and the instruments haven’t advanced on the similar tempo as trendy utility growth. They depend on syntactic sample matching, often enhanced with intraprocedural taint evaluation. However trendy purposes are far more complicated and sometimes use middleware, frameworks, and infrastructure to deal with dangers.
So whereas accountability for weaknesses shifted to different components of the stack (due to reminiscence security, frameworks, and infrastructure), SAST instruments spew out false positives (FPs) discovered on the granular, code degree. Whether or not you’re utilizing first or second era SAST, 68% to 78% of findings are FPs. That’s loads of handbook triaging by the safety group. Worse, at present’s code weaknesses usually tend to come from logic flaws, abuse of official options, and contextual misconfigurations. Sadly, these aren’t issues a regex-based SAST can meaningfully perceive. So along with FPs, you even have excessive charges of false negatives (FNs). And as organizations undertake AI code assistants at excessive volumes, we are able to additionally anticipate extra logic and structure flaws that SASTs can’t catch.
