152:
that 92% of their respondents in a 2015 survey said they had experienced IT or security incidents in the previous 12 months and that 74% of these breaches were originated by insiders. Lee
Hadlington categorized internal threats in 3 categories: malicious, accidental, and unintentional. Mobile applications' explosive growth implies securing applications earlier in the development process to reduce malicious code development.
187:
Scanning many lines of code with SAST tools may result in hundreds or thousands of vulnerability warnings for a single application. It can generate many false-positives, increasing investigation time and reducing trust in such tools. This is particularly the case when the context of the vulnerability
180:
Even though developers are positive about the usage of SAST tools, there are different challenges to the adoption of SAST tools by developers. The usability of the output generated by these tools may challenge how much developers can make use of these tools. Research shows that despite the long out
151:
The rise of web applications entailed testing them: Verizon Data Breach reports in 2016 that 40% of all data breaches use web application vulnerabilities. As well as external security validations, there is a rise in focus on internal threats. The
Clearswift Insider Threat Index (CITI) has reported
71:
SAST tools are integrated into the development process to help development teams as they are primarily focusing on developing and delivering software respecting requested specifications. SAST tools, like other security tools, focus on reducing the risk of downtime of applications or that private
143:
Since late 90s, the need to adapt to business challenges has transformed software development with componentization enforced by processes and organization of development teams. Following the flow of data between all the components of an application or group of applications allows validation of
160:
The earlier a vulnerability is fixed in the SDLC, the cheaper it is to fix. Costs to fix in development are 10 times lower than in testing, and 100 times lower than in production. SAST tools run automatically, either at the code level or application-level and do not require interaction. When
824:
Siavvas, M.; Tsoukalas, D.; Janković, M.; Kehagias, D.; Chatzigeorgiou, A.; Tzovaras, D.; Aničić, N.; Gelenbe, E. (August 2019). "An
Empirical Evaluation of the Relationship between Technical Debt and Software Security". In Konjović, Z.; Zdravković, M.; Trajanović, M. (eds.).
64:(SDLC), SAST is performed early in the development process and at code level, and also when all pieces of code and components are put together in a consistent testing environment. SAST is also used for software quality assurance, even if the many resulting
57:. A SAST tool scans the source code of applications and its components to identify potential security vulnerabilities in their software and architecture. Static analysis tools can detect an estimated 50% of existing security vulnerabilities.
90:
Static analysis tools examine the text of a program syntactically. They look for a fixed set of patterns or rules in the source code. Theoretically, they can also examine a compiled form of the software. This technique relies on
678:
171:
SAST tools can offer extended functionalities such as quality and architectural testing. There is a direct correlation between the quality and the security. Bad quality software is also poorly secured software.
341:
Oyetoyan, Tosin Daniel; Milosheska, Bisera; Grini, Mari (May 2018). "Myths and Facts About Static
Application Security Testing Tools: An Action Research at Telenor Digital".
895:
2019 6th IEEE International
Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)
722:
Xianyong, Meng; Qian, Kai; Lo, Dan; Bhattacharya, Prabir; Wu, Fan (June 2018). "Secure Mobile
Software Development with Vulnerability Detectors in Static Code Analysis".
184:
With Agile
Processes in software development, early integration of SAST generates many bugs, as developers using this framework focus first on features and delivery.
106:
The precision of SAST tool is determined by its scope of analysis and the specific techniques used to identify vulnerabilities. Different levels of analysis include:
700:
377:
Parizi, R. M.; Qian, K.; Shahriar, H.; Wu, F.; Tao, L. (July 2018). "Benchmark
Requirements for Assessing Software Security Vulnerability Testing Tools".
313:
Johnson, Brittany; Song, Yooki; Murphy-Hill, Emerson; Bowdidge, Robert (May 2013). "Why don't software developers use static analysis tools to find bug".
95:
of the code to do the mapping between compiled components and source code components to identify issues. Static analysis can be done manually as a
161:
integrated into a CI/CD context, SAST tools can be used to automatically stop the integration process if critical vulnerabilities are identified.
65:
478:
Yamaguchi, Fabian; Lottmann, Markus; Rieck, Konrad (December 2012). "Generalized vulnerability extrapolation using abstract syntax trees".
75:
For the year of 2018, the
Privacy Rights Clearinghouse database shows that more than 612 million records have been compromised by hacking.
26:) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of
129:
The scope of the analysis determines its accuracy and capacity to detect vulnerabilities using contextual information. SAST tools unlike
893:
Arreaza, Gustavo Jose Nieves (June 2019). "Methodology for
Developing Secure Apps in the Clouds. (MDSAC) for IEEECS Confererences".
212:
30:
has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of
608:
Jovanovic, N.; Kruegel, C.; Kirda, E. (May 2006). "Pixy: A static analysis tool for detecting Web application vulnerabilities".
910:
739:
394:
322:
275:
Ayewah, N.; Hovemeyer, D.; Morgenthaler, J.D.; Penix, J.; Pugh, W. (September 2008). "Using static analysis to find bugs".
207:
165:
130:
84:
46:
554:
Mezo, Peter; Jain, Radhika (December 2006). "Agile Software Development: Adaptive Systems Principles and Best Practices".
869:
851:
625:
495:
589:
Livshits, V.B.; Lam, M.S. (May 2006). "Finding Security Vulnerabilities in Java Applications with Static Analysis".
945:
168:
covers its execution possibly missing part of the application, or unsecured configuration in configuration files.
853:
Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them
61:
649:
133:
gives the developers real-time feedback, and help them secure flaws before they the code to the next level.
116:
567:
83:
Application security tests of applications their release: static application security testing (SAST),
940:
764:
145:
217:
27:
850:
Tahaei, Mohammad; Vaniea, Kami; Beznosov, Konstantin (Kosta); Wolters, Maria K (6 May 2021).
100:
519:
Booch, Grady; Kozaczynski, Wojtek (September 1998). "Component-Based Software Engineering".
137:
122:
8:
902:
701:"The Ticking Time Bomb: 40% of Firms Expect an Insider Data Breach in the Next 12 Months"
916:
875:
806:
745:
631:
571:
536:
501:
400:
292:
257:
87:(DAST), and interactive application security testing (IAST), a combination of the two.
53:
of application functionality, SAST tools focus on the code content of the application,
39:
787:
238:
920:
906:
879:
865:
735:
621:
491:
390:
318:
54:
50:
749:
540:
404:
296:
898:
857:
830:
810:
798:
727:
635:
613:
575:
563:
528:
505:
483:
458:
427:
382:
284:
261:
249:
197:
103:
of the code for different purposes, including security, but it is time-consuming.
788:"Effect of static analysis tools on software security: preliminary investigation"
315:
ICSE '13 Proceedings of the 2013 International Conference on Software Engineering
239:"Effect of static analysis tools on software security: preliminary investigation"
202:
92:
827:
International Conference on Information Society and Technology 2019 Proceedings
731:
386:
724:
2018 International Symposium on Networks, Computers and Communications (ISNCC)
679:"Clearswift report: 40 percent of firms expect a data breach in the Next Year"
164:
Because the tool scans the entire source-code, it can cover 100% of it, while
934:
379:
2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)
31:
861:
802:
487:
253:
148:
and that proper actions are taken to taint data in specific pieces of code.
835:
532:
356:
431:
96:
480:
Proceedings of the 28th Annual Computer Security Applications Conference
463:
446:
288:
617:
418:
Chess, B.; McGraw, G. (December 2004). "Static analysis for security".
110:
35:
786:
Okun, V.; Guthrie, W. F.; Gaucher, H.; Black, P. E. (October 2007).
237:
Okun, V.; Guthrie, W. F.; Gaucher, H.; Black, P. E. (October 2007).
136:
At a function level, a common technique is the construction of an
656:
823:
274:
34:
in 1998 when Web applications integrated new technologies like
312:
795:
Proceedings of the 2007 ACM Workshop on Quality of Protection
246:
Proceedings of the 2007 ACM Workshop on Quality of Protection
72:
information stored in applications will not be compromised.
849:
721:
119:- an extensible program-code-template for object creation.
610:
2006 IEEE Symposium on Security and Privacy (S&P'06)
785:
340:
236:
477:
343:
International Conference on Agile Software Development
607:
376:
357:"Data Breaches | Privacy Rights Clearinghouse"
181:generated by these tools, they may lack usability.
769:Global Journal of Computer Science and Technology
568:10.1201/1078.10580530/46108.23.3.20060601/93704.3
140:to control the flow of data within the function.
932:
518:
125:- a program or group of programs that interact.
765:"Rework and Reuse Effects in Software Economy"
308:
306:
829:(Data set). Vol. 1. pp. 199–203.
681:. Endeavor Business Media. 20 November 2015
588:
444:
417:
144:required calls to dedicated procedures for
834:
462:
303:
650:"2016 Data Breach Investigations Report"
553:
213:Interactive application security testing
892:
762:
482:. Vol. 2. IEEE. pp. 359–368.
372:
370:
933:
693:
671:
445:Chess, B.; McGraw, G. (October 2004).
336:
334:
642:
367:
208:Dynamic application security testing
166:dynamic application security testing
85:dynamic application security testing
47:dynamic application security testing
28:statically analyzing the source code
331:
20:Static application security testing
13:
903:10.1109/CSCloud/EdgeCom.2019.00-11
763:Hossain, Shahadat (October 2018).
447:"Risk Analysis in Software Design"
175:
68:impede its adoption by developers
14:
957:
155:
886:
843:
817:
779:
756:
715:
601:
582:
547:
512:
62:software development life cycle
556:Information Systems Management
471:
438:
411:
349:
268:
230:
188:cannot be caught by the tool.
1:
223:
16:Software securing application
7:
451:IEEE Security & Privacy
420:IEEE Security & Privacy
191:
113:- sequences of instruction.
78:
10:
962:
897:. IEEE. pp. 102–106.
732:10.1109/ISNCC.2018.8531071
703:. Fortra. 18 November 2015
612:. IEEE. pp. 359–368.
387:10.1109/COMPSAC.2018.00139
381:. IEEE. pp. 825–826.
591:USENIX Security Symposium
946:Static program analysis
862:10.1145/3411764.3445616
803:10.1145/1314257.1314260
488:10.1145/2420950.2421003
254:10.1145/1314257.1314260
218:Static program analysis
836:10.5281/zenodo.3374712
533:10.1109/MS.1998.714621
432:10.1109/MSP.2004.111
138:Abstract syntax tree
464:10.1109/MSP.2004.55
345:. Springer: 86–103.
289:10.1109/MS.2008.130
117:file or class-level
618:10.1109/SP.2006.29
457:(4). IEEE: 76–84.
426:(6). IEEE: 76–79.
283:(5). IEEE: 22–29.
912:978-1-7281-1661-7
856:. pp. 1–17.
741:978-1-5386-3779-1
396:978-1-5386-2666-5
361:privacyrights.org
324:978-1-4673-3076-3
123:application level
55:white-box testing
51:black-box testing
49:(DAST) tools for
953:
941:Security testing
925:
924:
890:
884:
883:
847:
841:
840:
838:
821:
815:
814:
792:
783:
777:
776:
760:
754:
753:
726:. pp. 1–4.
719:
713:
712:
710:
708:
697:
691:
690:
688:
686:
675:
669:
668:
666:
664:
654:
646:
640:
639:
605:
599:
598:
586:
580:
579:
551:
545:
544:
516:
510:
509:
475:
469:
468:
466:
442:
436:
435:
415:
409:
408:
374:
365:
364:
353:
347:
346:
338:
329:
328:
310:
301:
300:
272:
266:
265:
243:
234:
198:Security testing
961:
960:
956:
955:
954:
952:
951:
950:
931:
930:
929:
928:
913:
891:
887:
872:
848:
844:
822:
818:
790:
784:
780:
761:
757:
742:
720:
716:
706:
704:
699:
698:
694:
684:
682:
677:
676:
672:
662:
660:
652:
648:
647:
643:
628:
606:
602:
587:
583:
552:
548:
517:
513:
498:
476:
472:
443:
439:
416:
412:
397:
375:
368:
355:
354:
350:
339:
332:
325:
311:
304:
273:
269:
241:
235:
231:
226:
203:Lint (software)
194:
178:
176:SAST weaknesses
158:
93:instrumentation
81:
17:
12:
11:
5:
959:
949:
948:
943:
927:
926:
911:
885:
870:
842:
816:
778:
755:
740:
714:
692:
670:
641:
626:
600:
581:
546:
511:
496:
470:
437:
410:
395:
366:
348:
330:
323:
302:
267:
228:
227:
225:
222:
221:
220:
215:
210:
205:
200:
193:
190:
177:
174:
157:
156:SAST strengths
154:
127:
126:
120:
114:
111:function level
80:
77:
66:false-positive
15:
9:
6:
4:
3:
2:
958:
947:
944:
942:
939:
938:
936:
922:
918:
914:
908:
904:
900:
896:
889:
881:
877:
873:
871:9781450380966
867:
863:
859:
855:
854:
846:
837:
832:
828:
820:
812:
808:
804:
800:
796:
789:
782:
774:
770:
766:
759:
751:
747:
743:
737:
733:
729:
725:
718:
702:
696:
680:
674:
658:
651:
645:
637:
633:
629:
627:0-7695-2574-1
623:
619:
615:
611:
604:
596:
592:
585:
577:
573:
569:
565:
561:
557:
550:
542:
538:
534:
530:
526:
522:
521:IEEE Software
515:
507:
503:
499:
497:9781450313124
493:
489:
485:
481:
474:
465:
460:
456:
452:
448:
441:
433:
429:
425:
421:
414:
406:
402:
398:
392:
388:
384:
380:
373:
371:
362:
358:
352:
344:
337:
335:
326:
320:
316:
309:
307:
298:
294:
290:
286:
282:
278:
277:IEEE Software
271:
263:
259:
255:
251:
247:
240:
233:
229:
219:
216:
214:
211:
209:
206:
204:
201:
199:
196:
195:
189:
185:
182:
173:
169:
167:
162:
153:
149:
147:
141:
139:
134:
132:
124:
121:
118:
115:
112:
109:
108:
107:
104:
102:
98:
94:
88:
86:
76:
73:
69:
67:
63:
58:
56:
52:
48:
43:
41:
37:
33:
32:SQL injection
29:
25:
21:
894:
888:
852:
845:
826:
819:
797:. ACM: 1–5.
794:
781:
775:(C4): 35–50.
772:
768:
758:
723:
717:
705:. Retrieved
695:
683:. Retrieved
673:
661:. Retrieved
644:
609:
603:
594:
590:
584:
562:(3): 19–30.
559:
555:
549:
527:(5): 34–36.
524:
520:
514:
479:
473:
454:
450:
440:
423:
419:
413:
378:
360:
351:
342:
314:
280:
276:
270:
248:. ACM: 1–5.
245:
232:
186:
183:
179:
170:
163:
159:
150:
146:sanitization
142:
135:
128:
105:
89:
82:
74:
70:
59:
44:
23:
19:
18:
317:: 672–681.
97:code review
935:Categories
224:References
36:JavaScript
921:203655645
880:233987670
707:8 January
685:8 January
663:8 January
750:53288239
541:33646593
405:52055661
297:20646690
192:See also
101:auditing
79:Overview
811:6663970
657:Verizon
636:1042585
576:5087532
506:8970125
262:6663970
60:In the
45:Unlike
919:
909:
878:
868:
809:
748:
738:
659:. 2016
634:
624:
574:
539:
504:
494:
403:
393:
321:
295:
260:
917:S2CID
876:S2CID
807:S2CID
791:(PDF)
746:S2CID
653:(PDF)
632:S2CID
597:: 18.
572:S2CID
537:S2CID
502:S2CID
401:S2CID
293:S2CID
258:S2CID
242:(PDF)
40:Flash
907:ISBN
866:ISBN
736:ISBN
709:2024
687:2024
665:2016
622:ISBN
492:ISBN
391:ISBN
319:ISBN
131:DAST
38:and
24:SAST
899:doi
858:doi
831:doi
799:doi
728:doi
614:doi
564:doi
529:doi
484:doi
459:doi
428:doi
383:doi
285:doi
250:doi
99:or
937::
915:.
905:.
874:.
864:.
805:.
793:.
773:18
771:.
767:.
744:.
734:.
655:.
630:.
620:.
595:14
593:.
570:.
560:23
558:.
535:.
525:15
523:.
500:.
490:.
453:.
449:.
422:.
399:.
389:.
369:^
359:.
333:^
305:^
291:.
281:25
279:.
256:.
244:.
42:.
923:.
901::
882:.
860::
839:.
833::
813:.
801::
752:.
730::
711:.
689:.
667:.
638:.
616::
578:.
566::
543:.
531::
508:.
486::
467:.
461::
455:2
434:.
430::
424:2
407:.
385::
363:.
327:.
299:.
287::
264:.
252::
22:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.