How to implement Static Application Security Testing (SAST)?

In a previous article, we covered what is Static Application Security Testing (SAST), why it is important, and its pros and cons. Today, we are focusing on effectively implementing SAST in your organization.

Implementing a SAST tool is fairly easy when you do it at the beginning of a new project. However, it can become challenging if you already have a large codebase or are dealing with legacy systems.

To help you out, here are 6 steps to successfully implement SAST in your organization. They’ll allow you to optimize effectiveness and maximize your benefits from SAST tools.

#1 – Find the right SAST tool

First, you’ll need to find the right SAST tool that supports your programming languages, fits your development process, and can easily integrate into any application you have. When choosing the tool, ask the following questions:

1. What programming languages can the tool scan? Many tools support a limited range of programming languages, so paying attention to the tool’s support is essential.
2. How does the tool perform scans? You must understand how the tool works and if it fits your needs. Does the tool have an on-prem solution or only cloud? It’s enough to run the tool on developers’ IDE, or do you need a global and centralized solution?
3. Which types of vulnerabilities can the tool detect? Depending on your organization and business goals, you might have different needs about vulnerabilities that the tools need to catch. For example, a good indicator is if the tools help you prevent the OWASP Top 10.
4. What is the level of configurations of the tool? In most cases, you would like to have a solution that allows you to customize the results, reports, and the types of issues the tool finds. False positives, for example, are a known problem for many SAST tools, so it’s crucial to have a solution that allows customization.
5. How is the solution licensed? Can you run the tool on your servers? Is the pricing per lines of code scanned or per seat? The license and pricing model is often an essential factor in your decision.

#2 – Create the infrastructure and deploy the SAST tool

If the tool you chose offers more than one deployment method, you’ll need to select the one you want, depending on how much control you need and your scaling-up needs:

• SAST on-premises: maintain complete control over your deployment, and comply with internal technical and security requirements;
• SAST in the cloud: get up and running quickly and scale your deployment easily when needed.

Then, handle the licensing requirements, obtain the necessary resources (e.g., databases and servers), and set up access control and authorization to deploy the tool. Finally, you’ll need to configure the software development lifecycle integration of the tool, considering your development toolchain and the “shift-left” strategy of your organization.

#3 – Customize the SAST tool

After you deploy the tool, it’s time to do the initial customization, where you fine-tune the tool to suit your needs better. You can focus on several things:

• Reducing false positives by fine-tuning the ruleset,
• Writing new rules and updating existing ones,
• Integrating the tool with your build or CI/CD environment,
• Creating dashboards to keep track of scan reports, and
• Generating custom reports.

#4 – Prioritize and onboard your applications

Once the tool is ready, start onboarding your applications. If you have a long list of applications, you’ll need to prioritize them. Considerations include, for example, application risk, compliance issues, and status of the vulnerabilities. 

However, your final goal should be to have all applications onboarded. Remember this is a one-time effort to be performed along with your development team.

After onboarding, don’t forget your applications should be scanned regularly and synced with code check-ins, daily, weekly or monthly builds, and release cycles.

#5 – Evaluate the scan results

The first results of any SAST tool can be scary, and you’ll probably be surprised with the type and number of issues you see.

However, before looking at the scan results, make sure you know the application’s context: If your know the users, the security mechanisms implemented, and the input validation mechanisms, you’ll be able to triage the results better and eliminate false positives. You’ll also know if you need to customize further the SAST tool to avoid more false positives in the future.

After establishing the real issues, track and give them to the deployment team for proper remediation. As they fix bugs and vulnerabilities and add new code, you’ll need to reiterate the cycle: perform a differential or incremental scan of the code that was just changed.

#6 – Provide governance, training, and reporting

Make sure that your development team is using the SAST tool properly: they need to be running it and using it as part of their development process. Your code must be checked regularly before making its way to production.

Your development team can take advantage of the SAST tool with proper training. With SAST, you can identify and deal with issues during the early stages of your development lifecycle, allowing your developers to ship high-quality code easily.

Finally, you’ll need to report on issues. You can use the built-in reports that the SAST tool automatically generates or push data to reporting tools you already have in place.