Static Application Security Testing (SAST)
Understanding SAST: Code-Level Security
3 min read
Static Application Security Testing (SAST) analyzes source code to find security vulnerabilities without executing the application. Think of it as a spell-checker for security—it reads your code and flags potential problems.
How SAST Works
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Source Code │ ──▶ │ SAST Engine │ ──▶ │ Report │
│ (.py, .js) │ │ (Parser + │ │ (Vulns + │
│ │ │ Rules) │ │ Locations) │
└─────────────┘ └──────────────┘ └─────────────┘
SAST tools:
- Parse your code into an abstract syntax tree (AST)
- Apply rules to detect vulnerable patterns
- Report findings with file locations and remediation advice
What SAST Finds
| Vulnerability Type | Example | SAST Detection |
|---|---|---|
| SQL Injection | query = "SELECT * FROM users WHERE id=" + user_input |
Pattern matching on string concatenation in queries |
| XSS | innerHTML = userInput |
Tracking untrusted data to DOM sinks |
| Hardcoded Secrets | api_key = "sk-1234abcd" |
Regex patterns for API key formats |
| Path Traversal | open(user_path) |
Tracking user input to file operations |
| Insecure Deserialization | pickle.loads(data) |
Known dangerous function calls |
SAST vs DAST: Complementary Approaches
| Aspect | SAST | DAST |
|---|---|---|
| When | Before runtime (build phase) | During runtime (test phase) |
| What it sees | Source code | Running application |
| Coverage | All code paths | Only exercised paths |
| False positives | Higher (no runtime context) | Lower (validates exploitation) |
| Speed | Fast (minutes) | Slower (hours) |
| Languages | Language-specific | Language-agnostic |
Types of SAST Analysis
1. Pattern Matching
Simple regex-based detection:
# Detected by pattern: password\s*=\s*["'][^"']+["']
password = "hardcoded123" # SAST flags this
2. Data Flow Analysis
Tracks data from sources to sinks:
# Source: user input
user_input = request.args.get('query')
# ... code ...
# Sink: database query (SAST tracks the flow)
cursor.execute(f"SELECT * FROM users WHERE name = '{user_input}'")
3. Control Flow Analysis
Understands execution paths:
def process(data):
if validate(data): # Safe path
safe_process(data)
else:
# SAST knows this path exists
unsafe_process(data) # May flag this
SAST Limitations
Be aware of what SAST cannot do:
- Runtime behavior: Can't detect issues that only appear at runtime
- Business logic flaws: Doesn't understand your application's intent
- Configuration issues: Usually focuses on code, not config files
- Third-party closed-source code: Can only analyze source you provide
Choosing SAST Results to Act On
Not all findings are equal. Prioritize by:
- Severity: Critical > High > Medium > Low
- Confidence: High confidence findings are more likely true positives
- Exploitability: Can this vulnerability be reached by an attacker?
- Data sensitivity: Does this affect PII, credentials, or financial data?
Next, we'll explore the top SAST tools and when to use each. :::